Writing Rules

Now that you know the elements of a Snort rule, it is a good idea to walk through a few rule-writing samples. There are essentially three methods to writing Snort rules. The first and easiest method is to modify or add to an existing rule. To tune Snort and make it more efficient, you may have already attempted this process. The second method is to create a new rule by using your knowledge of your network. These are fairly easy to create because they do not require extensive traffic analysis. The third method, creating a new rule by examining network traffic, is the most difficult. This section examines all three.

Modifying an Existing Rule

Let's say you have a single IIS server at your organization, and you would like to modify ...

Get Intrusion Detection with Snort now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.