O'Reilly logo

Intrusion Detection with Snort by Jack Koziol

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Rule Syntax

Snort rules have a basic syntax that must be adhered to for the rule to properly match a traffic signature. Violating the Snort rules syntax can cause a rule to not load into the detection engine. If a rule does manage to load, incorrect rule syntax may result in unpredictable and unintended consequences. The rule could trigger on a large amount of benign traffic, causing a hail of false positives. This could potentially overload the intrusion database. The rule could trigger on randomly occurring traffic patterns, which have the potential to cause unnecessary panic when an alert is generated.

Even worse, some rules load, but never trigger on the traffic they are designed to detect. The IDS analyst may assume the rule is functioning ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required