Once you’ve installed, configured and started working with Snort, the next thing you’ll want to think about is rules. Snort’s rules define the patterns and criteria it uses to look for potentially malicious traffic on your network. Without these rules, Snort is just another sniffer. To help you get started, here are four places to find the Snort rules you need.

1. Download the official ruleset from Snort.org The official rules are provided on the Snort.org Web site via “tarball” snapshots (http://www.snort.org/dl/rules/) or anonymous CVS (http://cvs.snort.org/viewcvs.cgi/snort/rules/). If you pick the correct snapshot for the Snort engine you are running, as explained on the download page, these rules are guaranteed to work. If you pick the wrong one, Snort probably won’t start so just verify the version of Snort you are using (in fact, just get the latest one) and try again. While there are some legacy rules in the official rules that are loose or undocumented, since Brian Caswell took on the role of rules maintainer they are well written and well documented. I would strongly recommend starting with, and learning from these rules….