Rule Headers

All Snort rules start with a rule header that helps filter the traffic that the rule's body will evaluate.

A traditional rule header consists of five main components, and the following example is used to highlight what these five parts are:

alert tcp $EXTERNAL_NET 80 -> $HOME_NET any
  • Rule actions tell Snort what to do when a rule "fires":
    alert tcp $EXTERNAL_NET 80 -> $HOME_NET any

  • The protocol tells Snort which protocol applies:
    alert tcp $EXTERNAL_NET 80 -> $HOME_NET any

  • IP addresses tell Snort what networks to evaluate the rule against:
    alert tcp $EXTERNAL_NET 80 -> $HOME_NET any

  • Ports tell Snort which ports to evaluate the rule against:
    alert tcp $EXTERNAL_NET 80 -> $HOME_NET any

  • The direction operator tells Snort which traffic direction to look for:
    alert tcp $EXTERNAL_NET 80 -> $HOME_NET any

We will discuss each of these in detail in the next few pages.

Note: Snort 3 also introduces three new rule types that each have their own rule header format, and all three are described in later sections.