Tuesday, October 18, 2022

New Snort 3 rule writing guide available

Snort 3's new features, improvements and detection capabilities come with updates to the Snort rule language syntax and the rule-writing process.  

To help with that, direct from the Talos analyst team, comes the Snort 3 Rule Writing guide: Detailed documentation for all the different rule options available in Snort 3. 

The Snort 3 Rule Writing Guide is meant for new and experienced Snort rule-writers alike, focusing primarily on the rule-writing process. It is intended to supplement the documentation provided in the official Snort 3 repository (the official Snort User Manual). Each rule option has its own page to describe its functionality and syntax, along with examples to show how the option might be used in a Snort rule.  

The guide covers the essential information for new Snort users to get Snort 3 up and running. This includes installation and usage instructions, a brief look into Snort 3's internals, the basics of configuration files, and detailed information on writing effective Snort 3 rules. Despite the manual's broad scope, users will however still need to refer to the full user manual to find more comprehensive and advanced guidance on non-rule-writing-specific topics. 

Experienced Snort users who are already comfortable using Snort can skip the "Getting Started" section and instead jump right to the "Rule Options" section to get extensive documentation on the unchanged, updated and new rule options present in Snort 3. Watch out specifically for the now-sticky HTTP buffers, the new "alert file" and "alert http" rule types, as well as the new options like "http_param", "js_data", and "bufferlen".

As Snort 3 continues to evolve, this manual will too. The analyst team will provide updates to the manual to keep the greater Snort community abreast of any recent changes.