There are already tons of written Snort rules, but there just might be a time where you need to write one yourself. You can think of writing Snort rules as writing a program. They can include variables, keywords and functions. Why do we need to write rules? The reason is, without rules Snort will never detect someone trying to hack your machine. This HOWTO will give you confidence to write your own rules.


Bill Keys
What you will need:
  • 1. A machine to do your development on. These rules should NOT be run on a production server because the rules are only meant to be examples, which you can learn from.
  • 2. Also you will need a client machine to connect to the machine which Snort is running on.
  • 3. EnGarde Secure Community 3.0.18 or above with Snort installed.

Syntax: The Guts of Rules

The syntax may look a little strange at first but this section will explain it so you can start writing your own rules. Snort rules are divided into two sections: the rule header and the rule options. First, the rule header contains rules, actions, protocol, source and destination IP address, and source and destination ports. The second part is rule options, which contains an alert message and information on the parts of the packet that should be looked at to see if the rule action should be taken.

alert tcp any any -> 111 (content:"|00 01 86 a5|"; msg: "mountd access";)
The text up to the first parenthesis is the rule header and the section inside the parenthesis is the ( rule options ).

Rule Actions:
This is where you describe the