There are two separate elements that make up a typical Snort rule. We used an example previously to demonstrate a rule's composition. These next few sections explain in greater detail the individual portions of a Snort rule and how to create a customized rule for local use.
Rule headers make up the first section of a typical Snort rule. The header defines the who within the packet in question.
The rule header can be considered a brief description of the network
connection. Four parameters define a unique network connection:
Source IP, Source Port, Destination IP, and Destination Port. The
header also includes the direction of the packet traverse, as defined
symbols. Using a basic example, we will break down a typical header
into its component parts and explain what each part does.
Here is a portion of a standard rule alerting the user to a SYN FIN scan attempt. As shown in the example below, this scan is characterized by TCP data entering the internal network with the SYN and FIN flags set in the TCP header field. Snort looks for those flags within the packet and notes the reference and the attack's classification. The rule then prints out an alert that a scan was performed with SYN and FIN flags set.
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN SYN FIN";flags:SF; reference: arachnids,198; classtype:attempted-recon; sid:624; rev:1;)
The section enclosed within parentheses is referred to as the
Options section. ...