Snort rule – the structure
An example Snort rule is as follows:
alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"HTTP GET Request - Inbound"; flow:established,to_server; http_method; content:"GET"; priority:5; sid:12345678;)
Basically, a Snort rule can be divided into two parts, namely the rule header and the rule options. The first part of the Snort rule (until the first parenthesis) is called the rule header. The part of the rule from the first parenthesis to the parenthesis at the end is called the rule options.
In the example rule, the rule header is as follows:
alert tcp $EXTERNAL_NET any -> $HOME_NET 80
The rule options are as follows:
(msg:"HTTP GET Request - Inbound"; flow:established,to_server; http_method; content:"GET"; priority:5; sid:12345678;)
Before we delve into the rule header in detail, we will introduce the three types of rules introduced in Snort 3:
- Service rules
- File rules
- File...
