Here is a brief description of the rule sets:
My personal favorite set of rules. They detect when a host on your local network is sending a known response to a successful attack. While it might not be as useful as catching the attacker before he has succeeded, the alerts these rules generate are very often not false positives. There are some that are a little noisy—in particular the rule that alerts on a "403 - Forbidden" HTTP response.
Detects traffic generated by backdoor network connections, including those created by attackers using many rootkits and stealthy remote control applications (like subseven, netbus, and deepthroat).
Watches for illegal packet header settings like a TCP and UDP port 0 traffic, or a SYN packet to a multicast address.
Disabled by default. It watches for people using instant messengers and other Internet chat protocols. If this activity is against your organization's security policy, enable this rule set.
Alerts on traffic generated by many well-known distributed denial-of-service mechanisms, including Trin00 and shaft . The Stacheldraht rules can be noisy, since they are just looking for specific words in the payload that may be common in your environment.
Actually not referenced by default in the snort.conf file; really just a museum of old Snort rules.
Alerts on attacks against DNS servers (including detection of zone transfers).