3.3 Rule Options

Rule options form the heart of Snort's intrusion detection engine, combining ease of use with power and flexibility. All Snort rule options are separated from each other using the semicolon (;) character. Rule option keywords are separated from their arguments with a colon (:) character.

There are four major categories of rule options.

general

These options provide information about the rule but do not have any affect during detection

payload

These options all look for data inside the packet payload and can be inter-related

non-payload

These options look for non-payload data

post-detection

These options are rule specific triggers that happen after a rule has “fired.”