Removing opensource.gz from rule releases

For many years, we have distributed a file called “opensource.gz," which contained the plaintext rule documents for each of our SNORTⓇ rules.  Since the release of this document, our documentation has improved by leaps and bounds as a result of our most recent project led by our own Kri Dontje, you can read more about those improvements in our prior blog post. 

Since our documentation is now more “living” and is released with every rule update, we’ve made the decision to no longer chew up the bandwidth to distribute opensource.gz, and instead point your browsers and tools to the official authority for Snort rule docs: Snort.org. 

The format for rule documentation links is as follows. For example, https://snort.org/rule_docs/1-56720.  Replacing the SID at the end of URL with the SID you are looking for will take you to the most updated document.  

Tools available on the internet and integrators of our ruleset onto their boxes are encouraged to create these links to Snort.org directly from their interfaces as well. 

We DO NOT encourage scraping the data, so please don’t set your “for loop’ed” cURL commands to iterate through the docs and download them — our system may block you. The docs are updated at least twice a week, so we want you to link to them to ensure you are getting the most updated version. 

The latest version of PulledPork will no longer request the opensource.gz file, and future requests for opensource.gz will be met with a 422, 404 or 403 error. 

Updates to Snort guides for CentOS, rule writing in 3

Our documentation on Snort 3 running on CentOS and the Snort Rules Writing guide to Snort 3.

Thanks to community member Yaser for providing the updates.

The Snort 3 guide now has expanded information on logging options — such as syslog and JSON. There is also a new performance optimization section.

The Rules Writing guide has new syntax comparisons for various file_type detection for various Snort versions, as well as a comparison of app ID.

As always, you can view all of our guides on the Snort Documentation page.

Learn Snort: Back to basics videos and labs

Snort is happy to launch a new (free!) video training series created by Cisco Talos covering the basic operation of Snort 2 and Snort 3. Currently available topics include installation and configuration, packet capture and logging and rule writing. Users of both Snort 2.9x and Snort 3 can use the included labs to acquire the basic skills and information for quick and easy setup of Snort and start inspecting traffic immediately.

The series is available on the newly revamped Snort Resources page, where you will also find Snort documentation, white papers, and additional tutorials and guides. Currently, the following topics covered in the “Snort 101” videos are:

• Snort Overview - Snort 101
• Snort 2 - Install and Config (with labs)
• Snort 2 - Introduction to Rule Writing
• Snort 3 - Install and Config (with labs)
• Snort 3 - Writing Rules (with labs)
• Snort 3 - Logging (with labs)

The training videos and labs can also be found in a playlist on the Talos YouTube channel, and on the new Resources page here.

Area Under Construction: Snort documentation is getting a facelift

By Kri Dontje.

Changes will be popping up all over Snort.org to bring better support to every aspect of the Snort user experience. What sort of new things are coming?

• Added context information and a new look for Snort rule documentation.
• Reorganized and updated documentation.
• Elasticsearch.
• A surprise of the multi-media variety!
  

As these changes go into effect, Snort.org may experience growing pains. In particular, the search function will be limited for a few days during the change-over. Pardon the inconvenience over the next week or so while we change the Elasticsearch indexes.

After our updates are complete, we’ll keep you posted about the new features and go over where to find them.