Rules

Please note! This wiki is no longer maintained. Our documentation has moved to https://securityonion.net/docs/. Please update your bookmarks. You can find the latest version of this page at: https://securityonion.net/docs/Rules.

Configuration

Rulesets are chosen during setup and are specified in /etc/nsm/pulledpork/pulledpork.conf.
If you change the the configuration in pulledpork.conf, then you will need to run rule-update (if in a server/sensor deployment, run rule-update on the master first, then the sensor, or wait for it to be replicated).

Options

Security Onion offers the following choices for rulesets to be used by Snort/Suricata:

• ET Open

  • optimized for Suricata, but available for Snort as well
  • free

  For more information, see:
  https://rules.emergingthreats.net/open/

• ET Pro (Proofpoint)

  • optimized for Suricata, but available for Snort as well
  • rules retrievable as released
  • license fee per sensor

  For more information, see:
  https://www.proofpoint.com/us/threat-insight/et-pro-ruleset

• Snort Community

  • optimized for Snort
  • community-contributed rules
  • free

  For more information, see:
  https://www.snort.org/downloads/#rule-downloads
  https://www.snort.org/faq/what-are-community-rules

• Snort Registered

  • optimized for Snort
  • Snort SO (Shared Object) rules will only work with Snort
  • same rules as Snort Subscriber ruleset, except rules only retrievable after 30 days past release
  • free

  For more information, see:
  https://www.snort.org/downloads/#rule-downloads
  https://snort.org/documents/registered-vs-subscriber

• Snort Subscriber (Talos)

  • optimized for Snort
  • Snort SO (Shared Object) rules will only work with Snort
  • rules retrievable as released
  • license fee per sensor

  For more information, see:
  https://www.snort.org/downloads/#rule-downloads
  https://snort.org/documents/registered-vs-subscriber