Snort — IPS

OSS (GPL-2.0) · Cisco Talos · snort3/snort3 · Docs · Rule sources: Talos (subscription / community) · vulnetix vdb snort-rules returns CVE-keyed rules from the Vulnetix catalogue.

What Snort does

Snort sits in the network path — inline as an IPS or out-of-band as an IDS — and matches packets against rules written in the Snort rule language. A rule that matches can pass the traffic, log it, alert on it, or drop it.

For vulnerability management the angle is narrow. When the exploit for a CVE has a recognisable wire signature — a specific URI fragment, header, payload, or protocol misuse — a Snort rule that drops the traffic before it reaches the vulnerable service is a valid mitigation. The Snort SID and the deployment location become the evidence in an OpenVEX statement.

IPS rules aren’t SBOM components, so the attestation is always OpenVEX.

Rule structure

Writing a mitigation rule

alert tcp any any -> $HOME_NET 8080 (
  msg:"CVE-XXXX-XXXX exploit attempt blocked";
  content:"/../etc/passwd"; nocase;
  sid:1000001; rev:1;
  classtype:attempted-user;
  metadata:vuln-coordinator CVE-XXXX-XXXX;
)
alert http any any -> $HTTP_SERVERS $HTTP_PORTS (
  msg:"CVE-XXXX-XXXX — malformed header exploit";
  pcre:"/X-Exploit:\s*[0-9]{50,}/i";
  sid:1000002; rev:1;
  classtype:web-application-attack;
)

Testing the rule

OpenVEX outcome

See also