The Basics

Snort Rule Structure

Snort's intrusion detection and prevention system relies on the presence of Snort rules to protect networks, and those rules consist of two main sections:

  • The rule header defines the action to take upon any matching traffic, as well as the protocols, network addresses, port numbers, and direction of traffic that the rule should apply to.
  • The rule body section defines the message associated with a given rule, and most importantly the payload and non-payload criteria that need to be met in order for a rule to match. Although rule options are not required, they are essential for making sure a given rule targets the right traffic.

The following is an example of a fully-formed Snort 3 rule with a correct rule header and rule option definitions:

alert tcp $EXTERNAL_NET 80 -> $HOME_NET any
(
    msg:"Attack attempt!";
    flow:to_client,established;
    file_data;
    content:"1337 hackz 1337",fast_pattern,nocase;
    service:http;
    sid:1;
)

The rule header includes all the text up to the first parenthesis, while the body includes everything between the two parentheses.

The action defined in a given Snort rule's header is not taken unless all of the rule's individual options evaluate to true.

Note: Snort 3 ignores extra whitespace in rules, and so there's no need to escape newlines with backslashes like what was required with Snort 2 rules.

Rule comments

Rule writers can also add comments to their rules to provide additional context or information about a rule or rule option. These comments are added with # to start a comment line or with /* … */ to create either inline or multi-line comments.

# hash comment here
content:"ABCD";
/* these can be used to create
   multi-line comments
*/
content:"ABCD"; /* or they can be used like this */