Here at Snort, we continue to welcome rule submissions to improve community detection. As a thanks to our community, we like to reward individuals with some cool “Snort swag” items such as our new “Snorty mug”, hoodies, Snort calendar, and other goodies for rule submissions accepted.
For further details, please read on:
Standard rules for submission criteria:
We are accepting signatures into the community ruleset (GPLv2 licensed) via the Snort-Sigs mailing list, which anyone may join here: https://lists.sourceforge.net/lists/listinfo/snort-sigs.
When we receive a signature, we will follow our standard internal procedures (which involves heavy QA of the signature, testing, optimization for performance, and perhaps sending the rule out to our internal any external testing groups).
You may reference the Snort Users Manual for general rules questions, as well as discussing it among fellow Snort Rule writers on the above list.
The rules are released in the Snort Rule Set and are available to our customers and the Snort community as a whole via our normal community rule distribution process, published daily!
We will provide you feedback about how to improve your rules such as what you should or should not do, tips and tricks involved with the latest versions of Snort and its’ keywords, as well as giving the author full attribution for their submissions, on the Snort Blog, as well as the AUTHORS file contained in the Community Rule Set tarball.
If you’d like to submit to the Snort ruleset, please email us at research [at] sourcefire.com with your rule and research behind it (pcap, ascii dump, references, anything!)
As always False positive reports belong here: https://snort.org/community, after logging in.
The highest submitter for accepted rules for each month will receive some Snort goodies never before available. Keep in mind that we must accept the rules. So if you write a rule for an ICMP response on the network (for example), we are not going to accept it.
We thank the community in advance for rule submissions, as well as continued submission of false positive reports.