Snort rules are written instructions that tell the Snort Intrusion Detection System (IDS) what network activity to watch for and how to respond. These rules help detect suspicious or malicious traffic moving through your network, from malware downloads to port scans.
If you want to keep your network safe, understanding Snort rules is a must-have knowledge. This article covers what Snort rules are, how they work, why they matter, and how to start writing your own. Whether you’re upskilling for a new cert, onboarding a security team member, or just hate nasty surprises in your SIEM, this guide delivers the essentials.
We'll cover real Snort rules examples, syntax basics, and quick tips to lower your false positives (and your blood pressure).
Snort rules are the core logic for the Snort IDS and IPS platforms. They act as customized tripwires, telling Snort exactly what patterns of network traffic should trigger alerts or actions. Think of them as digital security guards with specific instructions on what threats to watch out for, like “flag any packet with a weird port combo” or “yell if someone tries a SQL injection.”
Snort rules use a plain text language, making them approachable for beginners, but powerful enough for seasoned pros. The customizability of these rules makes Snort one of the most widely used open-source network security tools on the planet.
Cybersecurity isn’t just about firewalls and antivirus software anymore; detection is everything. Snort rules empower security teams to:
Spot known threats and zero-day attacks
Tune detection for your unique network
React fast to emerging vulnerabilities
Audit traffic for compliance and forensics
Because Snort is open source, cybersecurity professionals can write, tweak, or share Snort rules as new threats emerge, making your network’s defenses as up-to-date as your threat intelligence.
Snort sits on your network, scanning packet traffic in real time. When Snort encounters traffic, it checks each packet against its library of rules. If a rule matches (for example, a suspicious command or a known malware signature), Snort wakes up the alarm system and takes action (such as logging the event, alerting the SOC, or outright blocking the traffic in IPS mode).
This approach turns Snort into a flexible “if-this-then-that” engine for keeping threats out of your environment.
Ready to peek under the hood? A Snort rule is made up of two main parts:
The header tells Snort what to look for and where. Its structure is:
```
action protocol sourceIP sourceport -> destinationIP destinationport
```
Here’s a quick translation:
action (what to do): alert, log, pass, activate, dynamic, drop, reject, sdrop
protocol (which type of traffic): tcp, udp, icmp, ip
source IP / port (where traffic comes from)
direction (-> or <->)
destination IP / port (where traffic goes)
Example header:
```
alert tcp $EXTERNALNET any -> $HOMENET 80
```
Translation: Alert if any external host talks TCP to any host in our home network on port 80.
The options are like the fine print—they describe the detailed conditions and actions. These live inside parentheses and are semicolon-separated. Example options include:
msg: (what message to show/log)
content: (look for specific text in payloads)
sid: (unique rule ID)
rev: (rule revision)
classtype: (attack category)
reference: (external docs/databases)
flow, flags, offset, depth, bytetest: (advanced matching logic)
Example:
```
(msg:"Possible SQL Injection"; content:"SELECT"; nocase; sid:1000001; rev:1;)
```
Put it together:
```
alert tcp $EXTERNALNET any -> $HOMENET 80 (msg:"Possible SQL Injection"; content:"SELECT"; nocase; sid:1000001; rev:1;)
```
This rule flags any HTTP packet sent to your web server with the word "SELECT" (commonly used in SQL injection attempts), regardless of capitalization.
Building Snort rules is a skill every threat hunter should have in their arsenal. Follow these simple steps to write and test your own:
Pinpoint the threat, anomaly, or behavior you want to watch for. This could be:
Malware signatures (payload patterns)
Suspicious use of ports
Brute-force authentication attempts
Data exfiltration activity
Unapproved protocols
Decide what action you want Snort to take, then specify the type of traffic, source, direction, and target.
Example header (detect all ICMP pings from any source):
```
alert icmp any any -> any any
```
Add options to hone in on the threat. For instance, use msg to describe the detection, content to specify the payload, and sid to create a unique ID.
Drop your new rule into the appropriate rules file (often in /etc/snort/rules/). Test using a packet generator or simulated attack, check the alert, and adjust as needed.
```
alert tcp any any -> any 23 (msg:"Possible Telnet Connection"; sid:1000002; rev:1;)
```
Flag all attempts to connect to port 23 (Telnet), a BIG red flag in modern environments.
```
alert tcp $EXTERNALNET any -> $HOMENET 80 (msg:"Suspicious User-Agent"; content:"evilbot"; httpheader; sid:1000003; rev:1;)
```
Alerts when a known-bad User-Agent string is spotted in HTTP headers.
```
alert udp any any -> any 53 (msg:"Possible DNS Tunnel"; content:"bad.command"; sid:1000004; rev:1;)
```
Flags DNS queries containing "bad.command," a common trick in exfiltration attacks.
Start small: Test rules in isolation before going live.
Comment everything: Use clear msg fields and comments for human readers.
Avoid rule overlap: Overlapping rules can cause duplicates or conflicts.
Tune often: Adjust rules to reduce false positives without missing real threats.
ID and revision: Always use unique sid and increment the rev for versioning.
Stay updated: Reference public Snort rule repositories and US-CERT advisories (see CISA for latest).
Snort is a powerful IDS tool, and mastering its rules can significantly enhance your network's security. This article covered the basics of reading and writing Snort rules, tuning them to reduce false positives, and understanding their compatibility with other systems like Suricata. With these insights, cybersecurity pros can optimize their threat detection and response strategies effectively.
Snort rules are the brains of Snort's alerts (and blocks)—a must-know for threat detection.
They're plain text, customizable, and infinitely shareable.
Mastering the basics lets you spot, tweak, or write new rules fast.
Real-world security means regular review, tuning, and learning from your alerts.
For up-to-date rules, always check trusted sources like CISA and Snort.org.
