Rules
Snort is, at its core, a rules-based network intrusion detection/prevention system. Snort is a highly complex system and has several modules, such as Codecs and Inspectors that analyze the various protocols that traverse the network. All the analysis and processing that is done by Codecs and Inspectors are geared towards rule-based matching.
Snort rules are written to specify special network conditions or traffic patterns in order to detect and prevent attacks. Snort rules are written using a custom Snort syntax. The Snort Rules Engine parses the rules and matches the network traffic against the rules. This chapter will provide you with knowledge and details about the structure and syntax of a Snort rule, and about the different types of Snort rules. You will also learn about some Snort rule writing recommendations. In short, you will be able to write your own Snort rules.
The following topics will be covered:
- Snort rule – the structure
- Rule header ...
