Snort — IPS
OSS (GPL-2.0) · Cisco Talos · snort3/snort3 · Docs · Rule sources: Talos (subscription / community) ·
vulnetix vdb snort-rulesreturns CVE-keyed rules from the Vulnetix catalogue.
What Snort does
Snort sits in the network path — inline as an IPS or out-of-band as an IDS — and matches packets against rules written in the Snort rule language. A rule that matches can pass the traffic, log it, alert on it, or drop it.
For vulnerability management the angle is narrow. When the exploit for a CVE has a recognisable wire signature — a specific URI fragment, header, payload, or protocol misuse — a Snort rule that drops the traffic before it reaches the vulnerable service is a valid mitigation. The Snort SID and the deployment location become the evidence in an OpenVEX statement.
IPS rules aren’t SBOM components, so the attestation is always OpenVEX.
Rule structure
Writing a mitigation rule
alert tcp any any -> $HOME_NET 8080 (
msg:"CVE-XXXX-XXXX exploit attempt blocked";
content:"/../etc/passwd"; nocase;
sid:1000001; rev:1;
classtype:attempted-user;
metadata:vuln-coordinator CVE-XXXX-XXXX;
)
alert http any any -> $HTTP_SERVERS $HTTP_PORTS (
msg:"CVE-XXXX-XXXX — malformed header exploit";
pcre:"/X-Exploit:\s*[0-9]{50,}/i";
sid:1000002; rev:1;
classtype:web-application-attack;
)
Testing the rule
OpenVEX outcome
See also
- SSVC Engineer Triage — the framework that maps a rule deployment to the
Mitigation Optioninput. - OpenVEX appendix — the format these rule guides produce.
- Glossary.