Securing Cisco Networks with Snort Rule Writing Best Practices (SSFRULES) v2.0 is a 3-day instructor-led or virtual instructor-led, lab-based, hands-on course that introduces you to Snort rule writing. Among other powerful features, you become familiar with:
  • Snort rule development
  • Snort rule language
  • Standard and advanced rule options
  • OpenAppID
  • Tuning
The course begins by identifying the key features and characteristics of a typical Snort rule development environment. You will develop and test custom rules in a preinstalled Snort environment and identify how to use advanced rule-writing techniques. You will investigate how to include OpenAppID in your rules and also identify how to filter rules and monitor their performance. This course combines lecture materials and hands-on labs that give you practice in creating Snort rules.


Upon completion of this course, you should be able to:
  • Describe the Snort rule development process
  • Describe the Snort basic rule syntax and usage
  • Describe how traffic is processed by Snort
  • Describe several advanced rule options used by Snort
  • Describe OpenAppID features and functionality
  • Describe how to monitor the performance of Snort and how to tune rules


Course Outline
  • Module 1: Introduction to Snort Rule Development
  • Module 2: Snort Rule Syntax and Usage
  • Module 3: Traffic Flow Through Snort Rules
  • Module 4: Advanced Rule Options
  • Module 5: OpenAppID Detection
  • Module 6 Tuning Snort

Lab Outline
  • Lab 1: Connecting to the Lab Environment
  • Lab 2: Introducing Snort Rule Development
  • Lab 3: Basic Rule Syntax and Usage
  • Lab 4: Advanced Rule Options
  • Lab 5: OpenAppID
  • Lab 6: Tuning Snort

Prerequisite Knowledge

Cisco recommends that you have the following knowledge and skills before taking this course:
  • Basic understanding of networking and network protocols
  • Basic knowledge of Linux command-line utilities
  • Basic knowledge of text editing utilities commonly found in Linux
  • Basic knowledge of network security concepts
  • Basic knowledge of a Snort-based IDS/IPS system