Fundamental Rule Writing Concepts
When writing a Snort rule, keep in mind that you are in reality building a traffic signature. The purpose of this signature is to discover a specific type of traffic by matching all traffic against it. With this in mind, there is often a gap between what you intend the rule to trigger on and what type of traffic actually triggers the rule.
The goal in creating effective signatures is to write rules that match exclusively the network traffic you want to discover. Unfortunately, this goal is almost impossible to attain; each rule is likely to trigger on traffic other than what you would intend it to. When writing a rule, you should make a best effort to narrow down the rule to trigger on only the isolated traffic ...
Get Intrusion Detection with Snort now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
