Rule Syntax
Snort rules have a basic syntax that must be adhered to for the rule to properly match a traffic signature. Violating the Snort rules syntax can cause a rule to not load into the detection engine. If a rule does manage to load, incorrect rule syntax may result in unpredictable and unintended consequences. The rule could trigger on a large amount of benign traffic, causing a hail of false positives. This could potentially overload the intrusion database. The rule could trigger on randomly occurring traffic patterns, which have the potential to cause unnecessary panic when an alert is generated.
Even worse, some rules load, but never trigger on the traffic they are designed to detect. The IDS analyst may assume the rule is functioning ...
Get Intrusion Detection with Snort now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
