Rule Headers

All Snort rules start with a rule header that helps filter the traffic that the rule's body will evaluate.

A traditional rule header consists of five main components, and the following example is used to highlight what these five parts are:

alert tcp $EXTERNAL_NET 80 -> $HOME_NET any

Rule actions tell Snort what to do when a rule "fires":
alert tcp $EXTERNAL_NET 80 -> $HOME_NET any
The protocol tells Snort which protocol applies:
alert tcp $EXTERNAL_NET 80 -> $HOME_NET any
IP addresses tell Snort what networks to evaluate the rule against:
alert tcp $EXTERNAL_NET 80 -> $HOME_NET any
Ports tell Snort which ports to evaluate the rule against:
alert tcp $EXTERNAL_NET 80 -> $HOME_NET any
The direction operator tells Snort which traffic direction to look for:
alert tcp $EXTERNAL_NET 80 -> $HOME_NET any

We will discuss each of these in detail in the next few pages.

Note: Snort 3 also introduces three new rule types that each have their own rule header format, and all three are described in later sections.

Snort 3 Rule Writing Guide