huntress logo
Glitch effect
Glitch effect

Snort rules are written instructions that tell the Snort Intrusion Detection System (IDS) what network activity to watch for and how to respond. These rules help detect suspicious or malicious traffic moving through your network, from malware downloads to port scans.

If you want to keep your network safe, understanding Snort rules is a must-have knowledge. This article covers what Snort rules are, how they work, why they matter, and how to start writing your own. Whether you’re upskilling for a new cert, onboarding a security team member, or just hate nasty surprises in your SIEM, this guide delivers the essentials.

We'll cover real Snort rules examples, syntax basics, and quick tips to lower your false positives (and your blood pressure).

What are Snort rules?

Snort rules are the core logic for the Snort IDS and IPS platforms. They act as customized tripwires, telling Snort exactly what patterns of network traffic should trigger alerts or actions. Think of them as digital security guards with specific instructions on what threats to watch out for, like “flag any packet with a weird port combo” or “yell if someone tries a SQL injection.”

Snort rules use a plain text language, making them approachable for beginners, but powerful enough for seasoned pros. The customizability of these rules makes Snort one of the most widely used open-source network security tools on the planet.

Why Snort rules matter in cybersecurity

Cybersecurity isn’t just about firewalls and antivirus software anymore; detection is everything. Snort rules empower security teams to:

  • Spot known threats and zero-day attacks

  • Tune detection for your unique network

  • React fast to emerging vulnerabilities

  • Audit traffic for compliance and forensics

Because Snort is open source, cybersecurity professionals can write, tweak, or share Snort rules as new threats emerge, making your network’s defenses as up-to-date as your threat intelligence.

How do Snort rules work?

Snort sits on your network, scanning packet traffic in real time. When Snort encounters traffic, it checks each packet against its library of rules. If a rule matches (for example, a suspicious command or a known malware signature), Snort wakes up the alarm system and takes action (such as logging the event, alerting the SOC, or outright blocking the traffic in IPS mode).

This approach turns Snort into a flexible “if-this-then-that” engine for keeping threats out of your environment.

Snort rules breakdown cheat sheet

Ready to peek under the hood? A Snort rule is made up of two main parts:

1. Rule header

The header tells Snort what to look for and where. Its structure is:

```

action protocol sourceIP sourceport -> destinationIP destinationport

```

Here’s a quick translation:

  • action (what to do): alert, log, pass, activate, dynamic, drop, reject, sdrop

  • protocol (which type of traffic): tcp, udp, icmp, ip

  • source IP / port (where traffic comes from)

  • direction (-> or <->)

  • destination IP / port (where traffic goes)

Example header:

```

alert tcp $EXTERNALNET any -> $HOMENET 80

```

Translation: Alert if any external host talks TCP to any host in our home network on port 80.

2. Rule options

The options are like the fine print—they describe the detailed conditions and actions. These live inside parentheses and are semicolon-separated. Example options include:

  • msg: (what message to show/log)

  • content: (look for specific text in payloads)

  • sid: (unique rule ID)

  • rev: (rule revision)

  • classtype: (attack category)

  • reference: (external docs/databases)

  • flow, flags, offset, depth, bytetest: (advanced matching logic)

Example:

```

(msg:"Possible SQL Injection"; content:"SELECT"; nocase; sid:1000001; rev:1;)

```

Put it together:

```

alert tcp $EXTERNALNET any -> $HOMENET 80 (msg:"Possible SQL Injection"; content:"SELECT"; nocase; sid:1000001; rev:1;)

```

This rule flags any HTTP packet sent to your web server with the word "SELECT" (commonly used in SQL injection attempts), regardless of capitalization.

Writing Snort Rules

Building Snort rules is a skill every threat hunter should have in their arsenal. Follow these simple steps to write and test your own:

1. Identify what to detect

Pinpoint the threat, anomaly, or behavior you want to watch for. This could be:

  • Malware signatures (payload patterns)

  • Suspicious use of ports

  • Brute-force authentication attempts

  • Data exfiltration activity

  • Unapproved protocols

2. Draft the rule header

Decide what action you want Snort to take, then specify the type of traffic, source, direction, and target.

Example header (detect all ICMP pings from any source):

```

alert icmp any any -> any any

```

3. Fine-tune with rule options

Add options to hone in on the threat. For instance, use msg to describe the detection, content to specify the payload, and sid to create a unique ID.

4. Save and test

Drop your new rule into the appropriate rules file (often in /etc/snort/rules/). Test using a packet generator or simulated attack, check the alert, and adjust as needed.

More Snort rule examples

Example 1: Block Telnet attempts

```

alert tcp any any -> any 23 (msg:"Possible Telnet Connection"; sid:1000002; rev:1;)

```

Flag all attempts to connect to port 23 (Telnet), a BIG red flag in modern environments.

Example 2: Detect suspicious HTTP user-agent

```

alert tcp $EXTERNALNET any -> $HOMENET 80 (msg:"Suspicious User-Agent"; content:"evilbot"; httpheader; sid:1000003; rev:1;)

```

Alerts when a known-bad User-Agent string is spotted in HTTP headers.

Example 3: Watch for suspicious DNS traffic

```

alert udp any any -> any 53 (msg:"Possible DNS Tunnel"; content:"bad.command"; sid:1000004; rev:1;)

```

Flags DNS queries containing "bad.command," a common trick in exfiltration attacks.

Snort rules best practices

  • Start small: Test rules in isolation before going live.

  • Comment everything: Use clear msg fields and comments for human readers.

  • Avoid rule overlap: Overlapping rules can cause duplicates or conflicts.

  • Tune often: Adjust rules to reduce false positives without missing real threats.

  • ID and revision: Always use unique sid and increment the rev for versioning.

  • Stay updated: Reference public Snort rule repositories and US-CERT advisories (see CISA for latest).

Frequently asked questions about Snort rules

Glitch effectBlurry glitch effect

Key takeaways for busy cyber pros

Snort is a powerful IDS tool, and mastering its rules can significantly enhance your network's security. This article covered the basics of reading and writing Snort rules, tuning them to reduce false positives, and understanding their compatibility with other systems like Suricata. With these insights, cybersecurity pros can optimize their threat detection and response strategies effectively.

  • Snort rules are the brains of Snort's alerts (and blocks)—a must-know for threat detection.

  • They're plain text, customizable, and infinitely shareable.

  • Mastering the basics lets you spot, tweak, or write new rules fast.

  • Real-world security means regular review, tuning, and learning from your alerts.

  • For up-to-date rules, always check trusted sources like CISA and Snort.org.


Protect What Matters

Secure endpoints, email, and employees with the power of our 24/7 SOC. Try Huntress for free and deploy in minutes to start fighting threats.
Try Huntress for Free