Rule Syntax

Snort rules have a basic syntax that must be adhered to for the rule to properly match a traffic signature. Violating the Snort rules syntax can cause a rule to not load into the detection engine. If a rule does manage to load, incorrect rule syntax may result in unpredictable and unintended consequences. The rule could trigger on a large amount of benign traffic, causing a hail of false positives. This could potentially overload the intrusion database. The rule could trigger on randomly occurring traffic patterns, which have the potential to cause unnecessary panic when an alert is generated.

Even worse, some rules load, but never trigger on the traffic they are designed to detect. The IDS analyst may assume the rule is functioning ...

Get Intrusion Detection with Snort now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.