Snort.Conf Samples

The goal of this page is to make a set of sample snort.conf files, and some samples for using other common tools with data from Emerging Threats. These will represent different size and goal installs of snort. We do not intend to provide snort.conf files that you can use without modification or understanding, but guides to help you benefit from the experience of the community as a whole.

We welcome submissions and tips to improve these files, as well as ideas for new types of configs to add.

This page is maintained by JamesMcQuaid

* Diagram portraying home network defended by multiple layers of Snort Inline:

HoneywallSamples (includes Honeywall and Smoothwall Snort config files, installation and usage tutorials, and DNS Blackhole files)

• bleeding.conf: bleeding.conf declaration for SSH ports.

• snort_inline.conf: This Snort Inline configuration will use over 900 MB of RAM. Most rules are set to drop; do not use Honeywall's autogenerated replace rules. Will Metcalf, the current maintainer of snort_inline, does not recommend blindly converting as many rules as possible to use replace. Will has said to not use replace in rules that contain the keyword flowbits:noalert because they are used in protocol identification/behavior, and are later checked in separate rules that alert/drop.

EmergingFirewallRules

RussianBusinessNetwork (includes resources for blocking the RBN)

FirekeeperforFirefox

• brandjackers.txt: Organized crime brandjacking Adobe, Kaspersky, McAfee? and Symantec.