More Information About Snort Rules

Periodically, we are asked for details on the Snort IDS rules used to send out notices regarding compromised or potentially compromised systems. We use thousands of rules and cannot fully document them all individually. However, it is possible to find out more information about the alert by looking in the logs we provide.

In every Snort alert, there is a section that reads something like [1:2007588:2]. This breaks down as the [(detection mechanism):(signature ID):(signature revision)]. Using the SID (the middle number) you can find more information about most signatures.

If the number is less than 1000000, it is a SourceFire rule (the company that maintains the snort source code). In this case, you can get more information about the rule by going to https://www.snort.org/rule_docs.

If the number is between 1000000 and 2000000, it is a snort community rule. In this case, the best source of information will be the rule itself which can be downloaded from Community Rules. In general, we don't use too many community rules as they are rarely updated.

If the number is between 2000000 and 3000000, it comes from emergingthreats.net and you can get more information at http://doc.emergingthreats.net/bin/view/Main/<sid number> as seen in the example above.

Finally, if the number is in the More Information About Snort Rules it is a custom rule that we have developed based upon patterns and break-ins we have seen on campus. For more information on these alerts, contact us at security@berkeley.edu for more information. In general, we limit the distribution of our custom rules because too much disclosure could warn attackers and potential attackers what we look for and help them evade detection.