Write Your Own Snort Rules

Customize Snort for your own needs quickly and easily by leveraging its flexible rule engine and language.

One of the best features of Snort is its rule engine and language. Snort’s rule engine provides an extensive language that enables you to write your own rules, allowing you to extend it to meet the needs of your own network.

A Snort rule can be broken down into two basic parts, the rule header and options for the rule. The rule header contains the action to perform, the protocol that the rule applies to, and the source and destination addresses and ports. The rule options allow you to create a descriptive message to associate with the rule, as well as check a variety of other packet attributes by making use of Snort’s extensive library of plug-ins.

Here’s the general form of a Snort rule:

            action 
            proto 
            src_ip 
            src_port 
            direction 
            dst_ip 
            dst_port (options)

When a packet comes in, its source and destination IP addresses and ports are then compared to the rules in the ruleset. If any of them are applicable to the packet, then the options are compared to the packet. If all of these comparisons return a match, then the specified action is taken.

Snort provides several built-in actions that you can use when crafting your rules. To simply log the packet that matches a rule, use the log action. The alert action generates an alert using the method specified in your configuration file or on the command line, in addition to logging the packet. One nice feature ...

Get Network Security Hacks now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.