next up previous contents
Next: 3.4 Meta-Data Rule Options Up: 3. Writing Snort Rules Previous: 3.2 Rules Headers   Contents

3.3 Rule Options

Rule options form the heart of Snort's intrusion detection engine, combining ease of use with power and flexibility. All Snort rule options are separated from each other using the semicolon (;) character. Rule option keywords are separated from their arguments with a colon (:) character.

There are four major categories of rule options.

meta-data
These options provide information about the rule but do not have any affect during detection
payload
These options all look for data inside the packet payload and can be inter-related
non-payload
These options look for non-payload data
post-detection
These options are rule specific triggers that happen after a rule has ``fired.''