Next: General Rule Options
Up: Writing Snort Rules
Previous: Activate/Dynamic Rules
Contents
Rule options form the heart of Snort's intrusion detection engine, combining
ease of use with power and flexibility. All Snort rule options are separated
from each other using the semicolon (;) character. Rule option keywords are
separated from their arguments with a colon (:) character.
There are four major categories of rule options.
- general
- These options provide information about the rule but do not
have any affect during detection
- payload
- These options all look for data inside the packet payload and
can be inter-related
- non-payload
- These options look for non-payload data
- post-detection
- These options are rule specific triggers that happen
after a rule has ``fired.''
Eugene Misnik
2013-05-08