O'Reilly logo

Intrusion Detection with Snort by Jack Koziol

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Writing Rules

Now that you know the elements of a Snort rule, it is a good idea to walk through a few rule-writing samples. There are essentially three methods to writing Snort rules. The first and easiest method is to modify or add to an existing rule. To tune Snort and make it more efficient, you may have already attempted this process. The second method is to create a new rule by using your knowledge of your network. These are fairly easy to create because they do not require extensive traffic analysis. The third method, creating a new rule by examining network traffic, is the most difficult. This section examines all three.

Modifying an Existing Rule

Let's say you have a single IIS server at your organization, and you would like to modify ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required