As you use Snort, you may find some of the default rules are not useful to you. You may also find a need for rules that are disabled by default, and you may even need to modify some rules. Since Snort needs regular rule updates just like your AV, it’s not practical to manually recreate all of the changes you make each time you download new rules. Fortunately, there is a free tool called Oinkmaster, which does everything you need to maintain your Snort rules, and runs on both UNIX and Windows. (It’s written in Perl, so you’ll need ActivePerl to run it on Windows.)

Oinkmaster is the de-facto rule updater in the Snort community and was released as a production version in May 2004 after several years of beta testing. It is driven by a configuration file in which you define exactly what it should do. First you get the latest rules using HTTP, HTTPS, FTP, file or SCP methods. Then you define what files to update or skip, what Signature IDs (SIDs) to modify, what SIDs to enable and what ones to disable. You can also ‘include’ files to an arbitrary depth, which allows for a very module approach….