Duration: 3 days
Version: 2.1

Continuing Education credits: 24 points

Schedule of CLC-eligible Courses: here
Price in Cisco Learning Credits (CLCs): 28
Note: Cisco may charge you VAT or Sales Tax if and where applicable.

Securing Cisco Networks with Snort Rule Writing Best Practices (SSFRULES) is an instructor-led or virtual instructor-led course that shows you how to write rules for Snort, an open-source intrusion detection and prevention system. Through a combination of expert-instruction and hands-on practice, this course provides you with the knowledge and skills to develop and test custom rules, standard and advanced rules-writing techniques, how to integrate OpenAppID into rules, rules filtering, rules tuning, and more. The hands-on labs give you practice in creating and testing Snort rules.

This course will help you:
  • gain an understanding of characteristics of a typical Snort rule development environment,
  • gain hands-on practices on creating rules for Snort,
  • gain knowledge in Snort rule development, Snort rule language, standard and advanced rule options.


Upon completion of this course, you should be able to:
  • Describe the Snort rule development process
  • Describe the Snort basic rule syntax and usage
  • Describe how traffic is processed by Snort
  • Describe several advanced rule options used by Snort
  • Describe OpenAppID features and functionality
  • Describe how to monitor the performance of Snort and how to tune rules


Course Outline
  • Module 1: Introduction to Snort Rule Development
  • Module 2: Snort Rule Syntax and Usage
  • Module 3: Traffic Flow Through Snort Rules
  • Module 4: Advanced Rule Options
  • Module 5: OpenAppID Detection
  • Module 6 Tuning Snort

Lab Outline
  • Lab 1: Connecting to the Lab Environment
  • Lab 2: Introducing Snort Rule Development
  • Lab 3: Basic Rule Syntax and Usage
  • Lab 4: Advanced Rule Options
  • Lab 5: OpenAppID
  • Lab 6: Tuning Snort

Prerequisite Knowledge

Cisco recommends that you have the following knowledge and skills before taking this course:
  • Basic understanding of networking and network protocols
  • Basic knowledge of Linux command-line utilities
  • Basic knowledge of text editing utilities commonly found in Linux
  • Basic knowledge of network security concepts
  • Basic knowledge of a Snort-based IDS/IPS system

This course is for technical professionals to gain skills in writing rules for Snort-based Intrusion Detection Systems (IDS) and intrusion prevention systems (IPS). The primary audience includes:
  • Security administrators
  • Security consultants
  • Network administrators
  • System engineers
  • Technical support personnel using open source IDS and IPS
  • Channel partners and resellers