Summary
This chapter is an introduction to writing rules in Snort. It describes the Snort rules syntax in great detail, and then offers some concrete examples that make use of the syntax.
The goal in creating effective signatures is to write rules that exclusively match the network traffic you want to discover. To write rules that trigger only on the traffic you intend them to, you must research and discover unique properties of the traffic.
Snort rules have a basic syntax that must be adhered to for the rule to properly match a traffic signature. Violating the Snort rules syntax can cause a rule to not load into the detection engine. The most basic syntactical requirement of a Snort rule is that it be in a single line. A Snort rule is divided ...
Get Intrusion Detection with Snort now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
