Download Snort Rules

Sourcefire Vulnerability Research Team™ (VRT) Rules are the official rules of snort.org. Each rule is developed and tested using the same rigorous standards the VRT uses for Sourcefire customers.

These rules are distributed under the VRT Certified Rules License Agreement. This license agreement allows you to study and modify VRT rules but restricts commercial redistribution.

Downloading via Command-line Interface

Downloading of the VRT rules via the command line can be performed using tools such as wget and curl through use of an oinkcode. Be sure to use the proper flags to ensure a successful download.

*all of these commands can be used with ssl by specifying https in the request

Subscriber Release

wget

        $ wget http://www.snort.org/sub-rules/<filename>/<oinkcode here> \
             -O <output-filename>  

        $ wget http://www.snort.org/sub-rules/<filename>/<oinkcode here> \
             --output-document=<output-filename>  
      
        e.g. 
            $ wget http://www.snort.org/sub-rules/snortrules-snapshot-2931.tar.gz/<oinkcode here> \
                 -O snortrules-snapshot-2931.tar.gz
      

curl

        $ curl -L http://www.snort.org/sub-rules/<filename>/<oinkcode here> \
             -o <output-filename>  

        $ curl --location http://www.snort.org/sub-rules/<filename>/<oinkcode here> \
             --output <output-filename>  
      
        e.g. 
            $ curl -L http://www.snort.org/sub-rules/snortrules-snapshot-2931.tar.gz/<oinkcode here> \
                 -o snortrules-snapshot-2931.tar.gz
      

Registered User Release

wget

        $ wget http://www.snort.org/reg-rules/<filename>/<oinkcode here> -O <output-filename>  

        $ wget http://www.snort.org/reg-rules/<filename>/<oinkcode here> \
             --output-document=<output-filename>  
      
        e.g. 
            $ wget http://www.snort.org/reg-rules/snortrules-snapshot-2931.tar.gz/<oinkcode here> \
                 -O snortrules-snapshot-2931.tar.gz
      

curl

        $ curl -L http://www.snort.org/reg-rules/<filename>/<oinkcode here> -o <output-filename>  

        $ curl --location http://www.snort.org/reg-rules/<filename>/<oinkcode here> \
             --output <output-filename>  
      
        e.g. 
            $ curl -L http://www.snort.org/reg-rules/snortrules-snapshot-2931.tar.gz/<oinkcode here> \
                 -o snortrules-snapshot-2931.tar.gz
      

Edge Rulepack

You can now stay on the cutting edge of rulepacks by setting <filename>, in any of the above recipes, equal to snortrules-snapshot-edge.tar.gz

This will pull down the latest versioned rulepack that you are privileged to have! e.g. if 2912, 2930 and 2931 are available, it will access 2931.