Rule Options

Rule options are the heart and soul of a Snort rule, as they determine if a given packet should be passed along to its destination, or if it should instead be stopped in its tracks.

Each rule option has its own set of option-specific critera, but they all follow the same general structure. First, all rule options are enclosed in parentheses after the rule header. Then, each rule option is declared with its name followed optionally by a: character and any option-specific criteria. Lastly, each rule option is terminated with a ; character.

It's important to note that not all options have arguments, and some options have multiple arguments that are separated by commas.

There are four major categories of rule options:

  • general options provide additional context for a given rule
  • payload options set payload-specific criteria
  • non-payload options set non-payload specific criteria
  • post-detection options set actions to take on a given packet after the rule has "fired"

All of these are discussed in great detail later in the manual, but here are a few example options and their specific structure:

# this is an example of a buffer modifier, "http_uri"
# it tells Snort to look for subsequent content matches only in that buffer

# content match specific criteria, as well as others, require double quotes
# not all options have criteria that require quotes
# some options require specifying a "sub-option"