Snort 3 Rule Writing Guide
Introduction
Using Snort 3
Getting Started with Snort 3
Installing Snort
Using Snort
Command Line Basics
Reading Traffic
Configuration
Rules
Wizard and Binder
Tweaks and Scripts
Trace Modules
Alert Logging
Writing Snort Rules
The Basics
Rule Headers
Rule Actions
Protocols
IP Addresses
Port Numbers
Direction Operators
New Rule Types
Service Rules
File Rules
File Identification Rules
Rule Options
Rule Option Syntax Key
General Rule Options
msg
reference
gid
sid
rev
classtype
priority
metadata
service
rem
file_meta
Payload Detection Rule Options
content
fast_pattern
nocase
offset, depth, distance, and within
HTTP Specific Options
http_uri and http_raw_uri
http_header and http_raw_header
http_cookie and http_raw_cookie
http_client_body and http_raw_body
http_param
http_method
http_version
http_stat_code
http_stat_msg
http_raw_request and http_raw_status
http_trailer and http_raw_trailer
http_true_ip
http_version_match
http_num_headers
http_num_trailers
http_num_cookies
http_header_test
http_trailer_test
Combining Request and Response Detection
bufferlen
isdataat
dsize
pcre
regex
pkt_data
raw_data
file_data
js_data
vba_data
base64_decode and base64_data
byte_extract
byte_test
byte_math
byte_jump
ber_data and ber_skip
ssl_state and ssl_version
DCE Specific Options
SIP Specific Options
sd_pattern
cvs
md5, sha256, and sha512
GTP Specific Options
DNP3 Specific Options
CIP Specific Options
IEC 104 Specific Options
MMS Specific Options
Modbus Specific Options
S7CommPlus Specific Options
Non-Payload Detection Rule Options
fragoffset
ttl
tos
id
ipopts
fragbits
ip_proto
flags
flow
flowbits
file_type
seq
ack
window
itype
icode
icmp_id
icmp_seq
rpc
stream_reassemble
stream_size
Post-Detection Rule Options
detection_filter
replace
tag
Miscellaneous Information
Shared Object Rules
Snort Light
Snort Dark
Snort 3 Rule Writing Guide
Snort 3 Rule Writing Guide
by the Cisco Talos Detection Response Team