0PricingLogin
Cyber Security Academy · Lesson

Signature Rules with Snort and Suricata

Writing and reading network rules.

Snort and Suricata

Snort and Suricata are the two dominant open-source IDS/IPS engines. They share a largely compatible rule language, so a rule written for one usually runs on the other.

Suricata adds multi-threading, native protocol parsers, file extraction, and rich logging (EVE JSON); Snort 3 modernized its own engine similarly. Learning the rule syntax once gives you leverage over both.

Rule Anatomy

Every rule has two parts: a header and a parenthesized body of options. The header sets the action, protocol, and traffic direction; the body defines what to match and how to report.

alert tcp $EXTERNAL_NET any -> $HOME_NET 80 ( \
  msg:"WEB suspicious request"; \
  content:"/admin.php"; http_uri; \
  sid:1000001; rev:1; )

All lessons in this course

  1. IDS vs IPS Concepts
  2. Signature Rules with Snort and Suricata
  3. Anomaly and Behavioral Detection
  4. Tuning and Deployment
← Back to Cyber Security Academy