Create SNORT rule

Estimated read time 2 min read
Estimated read time 2 min read

Introducing Snort Signatures: Simplify network intrusion detection with customizable rules. Easily define source and destination IPs, ports, protocol, content, and options. Enhance security efforts and detect potential threats effectively.

Create SNORT rule

SNORT Rule Cheatsheet

Snort Rules Cheat Sheet:

Rule Structure:
alert [action] [protocol sourceIP sourcePort -> destinationIP destinationPort] ([rule options])

- alert: Generate an alert for the matched traffic
- log: Log the matched traffic
- pass: Allow the matched traffic
- drop: Drop the matched traffic
- reject: Reject the matched traffic with a TCP reset

- tcp: TCP protocol
- udp: UDP protocol
- icmp: ICMP protocol
- ip: Any IP protocol

Rule Options:
- content: Specify the content to match in the packet payload
- msg: Add a custom message to the alert
- sid: Set a unique identifier for the rule
- rev: Set the revision number for the rule
- classtype: Classify the rule under a specific class type
- priority: Set the priority level for the rule
- flow: Define the flow direction for the rule (e.g., to_server, to_client)
- dsize: Match on the packet payload size
- flags: Match on specific TCP flags
- reference: Add a reference URL or identifier to the rule
- threshold: Set thresholds for generating alerts based on rule matches
- metadata: Add additional metadata to the rule
- content-list: Match against a list of content strings
- pcre: Match against a Perl-Compatible Regular Expression (PCRE)


1. Simple Alert Rule:
alert tcp any any -> any 80 (msg:"Potential HTTP Connection"; content:"GET"; nocase; sid:100001;)

2. Logging Rule:
log tcp any any -> any 22 (msg:"SSH Connection Attempt"; sid:100002;)

3. Drop Rule:
drop icmp any any -> any any (msg:"ICMP Packet Dropped"; sid:100003;)

4. Rule with Multiple Options:
alert tcp any any -> any 443 (msg:"Sensitive Information Exfiltration"; content:"credit card"; nocase; content:"password"; nocase; sid:100004;)