SSFRULES v2.0 - Securing Cisco Networks with Snort Rule Writing Best Practices

Networking/Server/Operating Systems
  LearnITAnytime Online Subscription (1 Year Subscription - $195.00)
  IT Online Library (1 Year Subscription - $1595.00)
  Private Mentoring 3 Hours ($225)
If quantity is more than 1, Please add all Attendees' Names /Voucher #/ Learning Credit below separated with a comma. If not specified, we will contact you prior to the class start date. Special Instructions


Securing Cisco? Networks with Snort Rule Writing Best Practices (SSFRULES) is an instructor-led, lab-intensive, course that introduces users of open source Snort or Sourcefire FireSIGHT1 systems to the Snort rules language and rule-writing best practices.

You will focus exclusively on the Snort rules language and rule writing. Starting from rule syntax and structure to advanced rule option usage, you will analyze exploit packet captures and put the rule writing theories learned to work by implementing rule language features to trigger alerts on the offending network traffic.

This course also provides instruction and lab exercises on how to detect certain types of attacks, such as buffer overflows, using various rule writing techniques. You will test your rule writing skills with two challenges: a theoretical challenge that tests your knowledge of rule syntax and usage, and a practical challenge in which you analyze and research an exploiting event, so you can defend your installations against attacks

This course combines lecture materials and hands-on labs throughout to make sure that you are able to successfully understand and implement open source rules.


After completing this course the student should be able to:

  • Describe the Snort rule development process
  • Describe the Snort basic rule syntax and usage
  • Describe how traffic is processed by Snort
  • Describe several advanced rule options used by Snort
  • Describe OpenAppID features and functionality
  • Describe how to monitor the performance of Snort and how to tune rules


The knowledge and skills that a learner must have before attending this course are as follows:

  • Technical understanding of TCP/IP networking and network architecture
  • Working knowledge of how to use and operate Cisco and Sourcefire systems or open source Snort
  • Working knowledge of command-line text editing tools, such as the vi editor
  • Basic rule-writing experience is suggested

Who Should Attend

This course is designed for technical professionals who need to know how to write rules and understand open source Snort language.

The primary audience for this course includes:

  • Security administrators
  • Security consultants
  • Network administrators
  • System engineers
  • Technical support personnel using open source IDS and IPS
  • Channel partners and resellers


Module 1: Introduction to Snort Rule Development

Module 2: Snort Rule Syntax and Usage

Module 3: Traffic Flow Through Snort Rules

Module 4: Advanced Rule Options

Module 5: OpenAppID Detection

Module 6 Tuning Snort

Lab Outline

Lab 1: Connecting to the Lab Environment
Lab 2: Introducing Snort Rule Development
Lab 3: Basic Rule Syntax and Usage
Lab 4: Advanced Rule Options
Lab 5: OpenAppID
Lab 6: Tuning Snort