You want Snort to use the latest intrusion signatures.

Download the latest rules from http://www.snort.org and install them in /usr/local/share to be consistent with our other Snort recipes:

# tar xvpzf snortrules-stable.tar.gz -C /usr/local/share

To test configuration changes, or to verify the correct usage of command-line options:

# snort -T ...

To omit the verbose initialization and summary messages:

# snort -q ...

The field of NIDS is an area of active research, and Snort is undergoing rapid development. Furthermore, the arms race between attackers and defenders of systems continues to escalate. You should upgrade your Snort installation frequently to cope with the latest threats.

If you have locally modified your rules, then before upgrading them, preserve your changes and merge them into the new versions. If you confine your site-specific additions to the file local.rules, merging will be a lot easier.

Although the snort.conf file can be used without modification, it is worthwhile to edit the file to customize Snort’s operation for your site. Comments in the file provide a guided tour of Snort’s features, and can be used as a step-by-step configuration guide, along with the Snort User’s Manual.

The most important parameters are the network variables at the beginning of the configuration file. These define the boundaries of your networks, and the usage patterns within those networks. For quick testing, you can override ...