Introduction

One of the most highly praised functions of Snort is the capability for the users to write their own rules. In addition to the large rulebase that Snort comes with by default, IDS administrators can take advantage of the capability to develop a rule themselves. Instead of having to depend on an outside agency, vendor, or administrator for updates when a new attack comes out or a new exploit vector is discovered, Snort administrators can write their own rules for the anomalous traffic they see, and compare notes with the large Snort rule-writing community on the Internet. This allows for unprecedented capabilities in update speed and customization. In this chapter, we ll cover what a rule is, the structure of a rule, writing good rules, and the life cycle of a Snort rule.

So, what is a rule? Simply put, a rule is a set of instructions designed to pick out network traffic that matches a specified pattern, and then takes a chosen action when it sees traffic that matches. A rule consists of a rule header and a rule body, the former to describe the traffic on a packet level and the latter to fill in additional details such as content, references, and documentation.

What can you do with Snort rules? You can examine your network and analyze the traffic patterns. You can allow known traffic that normally matches one of the other rules to go unremarked, or you can log the traffic, or you can generate alerts. You...