3.12 Writing Good Rules
There is a large list of predefined rules that are part of Snort distribution. Looking at these rules gives you a fairly good idea of how to write good rules. Although it is not mandatory, you should use the following parts in the options for each rule:
-
A message part using the msg keyword.
-
Rule classification, using the classification keyword.
-
Use a number to identify a rule with the help of the sid keyword.
-
If the vulnerability is known, always use a reference to a URL where more information can be found using the reference keyword.
-
Always use the rev keyword in rules to keep a record of different rule versions.
In addition, you should always try to write rules that are generalized and are able to detect multiple variations of an attack. Usually bad guys use the same tools with little modifications for different purposes. Good rules can and should be able to detect these variations.