If you are not sure if the website you would like to visit is secure, you can verify it here. Enter the website address of the page and see parts of its content and the thumbnail images on this site. None (if any) dangerous scripts on the referenced page will be executed. Additionally, if the selected site contains subpages, you can verify it (review) in batches containing 5 pages.
favicon.ico: docs.snort.org/start/configuration - Configuration - Snort 3 Rule W.

site address: docs.snort.org/start/configuration.html redirected to: docs.snort.org/start/configuration

site title: Configuration - Snort 3 Rule Writing Guide

Our opinion (on Thursday 16 July 2026 2:09:32 UTC):

GREEN status (no comments) - no comments
After content analysis of this website we propose the following hashtags:



Meta tags:
description=;

Headings (most frequently used words):

configuration, files, snort, rule, writing, guide, tuning, lua, configurations, via, the, command, line, snort2lua, module, passing, to, converting,

Text of the page (most frequently used words):
snort (51), the (45), and (45), #configuration (32), lua (25), stream_tcp (20), options (19), modules (17), rule (15), specific (15), can (13), file (12), for (12), that (11), rules (11), with (10), int (10), command (9), ips (9), one (8), files (8), module (8), detection (8), are (7), using (7), set (7), help (7), traffic (7), this (6), default (6), true (6), given (6), different (6), output (5), example (5), like (5), will (4), all (4), snort2lua (4), from (4), also (4), which (4), settings (4), enable_builtin_rules (4), argument (4), how (4), line (4), config (4), max_pdu (4), table (4), setting (4), segments (4), tcp (4), session (4), bool (4), data (4), reassembly (4), enable (4), perform (4), writing (4), any (3), then (3), option (3), sets (3), its (3), but (3), my_path (3), existing (3), users (3), configurations (3), upon (3), 32768 (3), number (3), maximum (3), per (3), max32 (3), false (3), queue (3), don (3), more (3), direction (3), considered (3), not (3), these (3), handles (3), control (3), packet (3), process (3), protocols (3), guide (3), errors (2), working (2), directory (2), once (2), have (2), taken (2), directly (2), running (2), binary (2), followed (2), plugged (2), into (2), above (2), local (2), following (2), present (2), dot (2), notation (2), custom (2), tuning (2), via (2), simply (2), supplied (2), order (2), many (2), through (2), entries (2), literals (2), key (2), description (2), each (2), 1460 (2), segment (2), size (2), after (2), non (2), allowed (2), window (2), reassembled (2), received (2), bsd (2), seen (2), max31 (2), packets (2), queue_limit (2), than (2), bytes (2), unlimited (2), small_segments (2), small (2), 129 (2), 2048 (2), tracking (2), disable (2), enabled (2), inspector (2), flow (2), normalization (2), events (2), against (2), determine (2), action (2), actions (2), event (2), basic (2), should (2), types (2), there (2), now (2), done (2), logging (2), payload (2), service (2), basics (2), occur, during, conversion, they, placed, current, been, care, passed, rej, conf, easy, invoking, points, those, coming, building, creates, named, take, old, converting, back, overrides, specified, note, uses, however, instead, curly, braces, override, extend, boolean, sometimes, writers, want, experiment, see, might, affect, fortunately, provides, ability, run, off, flag, string, enclosed, quotes, containing, validates, everything, include, message, says, successfully, validated, doesn, look, you, pass, very, easily, passing, enables, configures, core, relied, encouraged, learn, about, ones, commands, other, follow, same, format, separated, commas, effectively, just, value, pairs, wanted, max, would, add, entry, outputs, valid, values, integer, between, inclusive, flush_factor, flush, seeing, drop, decreasing, 65535, max_window, 1073725440, overlap_limit, overlapping, 16384, pdu, no_ack, implicitly, acked, immediately, enum, policy, determines, operating, system, characteristics, first, last, linux, old_linux, macos, solaris, irix, hpux11, hpux10, windows, win_2003, vista, proxy, reassemble_async, before, both, directions, require_3whs, track, midstream, sessions, seconds, start, tracks, show_rebuilt_packets, cmg, max_bytes, 4194304, max_segments, 3072, count, consecutive, excessive, maximum_size, minimum, session_timeout, 180, timeout, track_only, initialized, means, view, defaults, empty, configured, stream, list, brief, logger, attainable, search, engine, pattern, matching, evaluate, parameters, performed, when, occurs, analyze, codec, decode, anomaly, handle, processing, big, part, enabling, high, level, processes, network, contains, decipher, raw, whether, particular, logged, features, eight, tuned, luckily, open, source, comes, standard, get, quickly, located, make, what, base, excellent, template, build, right, immediate, use, snort_defaults, three, ways, single, multiple, got, time, tell, things, global, variables, performance, policies, paths, much, dark, light, snortml, hexdump, shared, object, miscellaneous, information, tag, replace, detection_filter, post, stream_size, stream_reassemble, rpc, icmp_seq, icmp_id, icode, itype, ack, seq, file_type, flowbits, flags, ip_proto, fragbits, ipopts, tos, ttl, fragoffset, s7commplus, modbus, mms, iec, 104, cip, dnp3, gtp, md5, sha256, sha512, cvs, sd_pattern, sip, dce, ssl_state, ssl_version, ber_data, ber_skip, byte_jump, byte_math, byte_test, byte_extract, base64_decode, base64_data, vba_data, js_data, file_data, raw_data, pkt_data, regex, pcre, dsize, isdataat, bufferlen, combining, request, response, http_trailer_test, http_header_test, http_num_cookies, http_num_trailers, http_num_headers, http_max_trailer_line, http_max_header_line, http_version_match, http_true_ip, http_trailer, http_raw_trailer, http_raw_request, http_raw_status, http_stat_msg, http_stat_code, http_version, http_method, http_param, http_client_body, http_raw_body, http_cookie, http_raw_cookie, http_header, http_raw_header, http_uri, http_raw_uri, http, offset, depth, distance, within, width, endian, nocase, fast_pattern, content, file_meta, rem, metadata, priority, classtype, rev, sid, gid, reference, msg, general, syntax, identification, new, operators, port, numbers, addresses, headers, alert, trace, tweaks, scripts, wizard, binder, reading, installing, getting, started, introduction,


Text of the page (random words):
configuration snort 3 rule writing guide snort 3 rule writing guide introduction using snort 3 getting started with snort 3 installing snort using snort command line basics reading traffic configuration rules wizard and binder tweaks and scripts trace modules alert logging writing snort rules the basics rule headers rule actions protocols ip addresses port numbers direction operators new rule types service rules file rules file identification rules rule options rule option syntax key general rule options msg reference gid sid rev classtype priority metadata service rem file_meta payload detection rule options content fast_pattern nocase width and endian offset depth distance and within http specific options http_uri and http_raw_uri http_header and http_raw_header http_cookie and http_raw_cookie http_client_body and http_raw_body http_param http_method http_version http_stat_code http_stat_msg http_raw_request and http_raw_status http_trailer and http_raw_trailer http_true_ip http_version_match http_max_header_line http_max_trailer_line http_num_headers http_num_trailers http_num_cookies http_header_test http_trailer_test combining request and response detection bufferlen isdataat dsize pcre regex pkt_data raw_data file_data js_data vba_data base64_decode and base64_data byte_extract byte_test byte_math byte_jump ber_data and ber_skip ssl_state and ssl_version dce specific options sip specific options sd_pattern cvs md5 sha256 and sha512 gtp specific options dnp3 specific options cip specific options iec 104 specific options mms specific options modbus specific options s7commplus specific options non payload detection rule options fragoffset ttl tos id ipopts fragbits ip_proto flags flow flowbits file_type seq ack window itype icode icmp_id icmp_seq rpc stream_reassemble stream_size post detection rule options detection_filter replace tag miscellaneous information shared object rules hexdump lua snortml snort light snort dark snort 3 rule writing guide configuration once we ve got snort set up to process traffic it s now time to tell snort how to process traffic and this is done through configuration snort configuration handles things like the setting of global variables the different modules to enable or disable performance settings event logging policies the paths to specific rules files to enable and much more snort 3 configuration is now all done in lua and these configuration options can be supplied to snort in three different ways via the command line with a single lua configuration file or with multiple lua configuration files configuration files there are many different configuration options that can be tuned in snort but luckily open source snort 3 comes with a set of standard configuration files that help get snort users up and running quickly these default files are located in the lua directory and the snort lua and snort_defaults lua files present there make up what is considered to be the the base configuration this default config is an excellent template to build upon and it can be plugged right into snort for immediate use module configuration a big part of one s configuration is the enabling and tuning of snort modules which at a high level control how snort processes and handles network traffic snort contains modules to decipher raw packets perform traffic normalization determine whether or not a specific action should be taken against a particular packet and also control how events should be logged snort features eight different types of modules basic modules handle configuration for basic traffic and rule processing codec modules decode protocols and perform anomaly detection inspector modules analyze and process protocols ips action modules enable custom actions that can be performed when an event occurs ips option modules options set in snort rules to set the detection parameters search engine perform pattern matching against packet data to determine which rules to evaluate so rule modules perform detection not attainable with the existing ips options logger modules control the output of events and packet data a list and brief description of all snort 3 modules can be seen with the help modules command snort help modules modules are enabled and configured in a configuration as lua table literals for example the stream_tcp inspector module which handles tcp flow tracking and stream normalization and reassembly can enabled like so stream_tcp if a module is initialized as an empty table then that means the module is using its default settings we can view these defaults with the help config argument snort help config stream_tcp int stream_tcp flush_factor 0 flush upon seeing a drop in segment size after given number of non decreasing segments 0 65535 int stream_tcp max_window 0 maximum allowed tcp window 0 1073725440 int stream_tcp overlap_limit 0 maximum number of allowed overlapping segments per session 0 max32 int stream_tcp max_pdu 16384 maximum reassembled pdu size 1460 32768 bool stream_tcp no_ack false received data is implicitly acked immediately enum stream_tcp policy bsd determines operating system characteristics like reassembly first last linux old_linux bsd macos solaris irix hpux11 hpux10 windows win_2003 vista proxy bool stream_tcp reassemble_async true queue data for reassembly before traffic is seen in both directions int stream_tcp require_3whs 1 don t track midstream sessions after given seconds from start up 1 tracks all 1 max31 bool stream_tcp show_rebuilt_packets false enable cmg like output of reassembled packets int stream_tcp queue_limit max_bytes 4194304 don t queue more than given bytes per session and direction 0 unlimited 0 max32 int stream_tcp queue_limit max_segments 3072 don t queue more than given segments per session and direction 0 unlimited 0 max32 int stream_tcp small_segments count 0 number of consecutive in the received order tcp small segments considered to be excessive 129 12 0 2048 int stream_tcp small_segments maximum_size 0 minimum bytes for a tcp segment not to be considered small 129 12 0 2048 int stream_tcp session_timeout 180 session tracking timeout 1 max31 bool stream_tcp track_only false disable reassembly if true this command outputs the different settings for the given module a description of each setting and valid values for each one the max_pdu setting for example can be set to an integer between 1460 and 32768 inclusive entries in lua table literals are effectively just key value pairs if we wanted to set stream_tcp max_pdu to its max setting we would simply add a table entry like so stream_tcp max_pdu 32768 other entries follow the same format and are separated by commas the default snort lua configuration file enables and configures many of the core modules relied upon by snort and users are encouraged to go through that file and learn about the different ones using the help module and help config snort commands passing configuration files to snort snort doesn t look for a specific configuration file by default but you can pass one to it very easily with the c argument snort c my_path lua snort lua this command simply validates the supplied configuration file and if everything is in order the output will include a message that says snort successfully validated the configuration tuning lua configurations via the command line sometimes rule writers will want to experiment with a specific configuration to see how it might affect detection fortunately snort 3 provides the ability to run one off custom lua configurations directly from the command line using the lua flag followed by a string enclosed in quotes containing the specific lua configuration or configurations to set for example the following lua command sets the enable_builtin_rules boolean from the ips module to true snort c my_path lua snort lua r local rules lua ips enable_builtin_rules true note that the above lua argument uses dot notation to extend any existing ips configuration present in one s snort configuration file however users can also override a given module s configuration using curly braces instead of using dot notation the following argument for example overrides any existing ips configuration with the one specified snort c my_path lua snort lua r local rules lua ips enable_builtin_rules true this above example sets ips back to its default settings but then also sets enable_builtin_rules to true snort2lua converting configuration files for those that are coming from snort 2 and have a working 2 x configuration file building snort 3 also creates a binary named snort2lua which can take one s old snort 2 configuration and output one that can be plugged into snort 3 running this command is as easy as invoking the binary followed by a c option that points to the snort 2 configuration file snort2lua c snort conf if any errors occur during the conversion they will be placed in a snort rej file in the current working directory once all errors have been taken care of snort2lua will output a snort lua file that can then be passed directly to snort 3
Thumbnail images (randomly selected): * Images may be subject to copyright.GREEN status (no comments)

    No Images


    Verified site has: 126 subpage(s). Do you want to verify them? Verify pages:

    1-5 6-10 11-15 16-20 21-25 26-30 31-35 36-40 41-45 46-50
    51-55 56-60 61-65 66-70 71-75 76-80 81-85 86-90 91-95 96-100
    101-105 106-110 111-115 116-120 121-125 126-126


    Top 50 hastags from of all verified websites.

    Supplementary Information (add-on for SEO geeks)*- See more on header.verify-www.com

    Header

    HTTP/1.1 301 Moved Permanently
    Date Thu, 16 Jul 2026 02:09:31 GMT
    Content-Type text/html; charset=UTF-8
    Transfer-Encoding chunked
    Connection keep-alive
    Server-Timing cfEdge;dur=7,cfOrigin;dur=0
    Location htt????/docs.snort.org/start/configuration.html
    X-Content-Type-Options nosniff
    Vary accept-encoding
    set-cookie __cf_bm=T.1BmjOSnr2gSamjnNhRfg4gvi3yLAWknbDnfbaAl3o-1784167771.8594112-1.0.1.1-0Wjo7xTakSexHGuk50.31xaPdyZfeD.9eo0qodgJJK81H3m1UhGNBGznqIYmcUPuzfox_bayw2S9LZr3ANq69RWs3kzP7sLwTQG5s5jKv.zULylU_rwF4MMU6xS6EDRf; HttpOnly; Path=/; Domain=snort.org; Expires=Thu, 16 Jul 2026 02:39:31 GMT
    Server cloudflare
    CF-RAY a1bd771e1816c627-CDG
    alt-svc h3= :443 ; ma=86400
    HTTP/2 308
    date Thu, 16 Jul 2026 02:09:31 GMT
    content-length 0
    x-content-type-options nosniff
    report-to group : cf-nel , max_age :604800, endpoints :[ url : htt????/a.nel.cloudflare.com/report/v4?s=1vP1yySkk3LEALtC5c0HjaHxRqBAojIKbvhmVLW9TYYu1CMvj1VsnM3RjeCaQ%2BljsaR3yzyHKGuhF%2FBtpH%2BnDA5392MA89TNoYArKEaJ%2BI7faFvpojfLBmzsNvrerB5vqA%3D%3D ]
    location /start/configuration
    nel report_to : cf-nel , success_fraction :0.0, max_age :604800
    access-control-allow-origin *
    referrer-policy strict-origin-when-cross-origin
    server cloudflare
    cf-cache-status DYNAMIC
    strict-transport-security max-age=15552000
    set-cookie __cf_bm=z4XjfEI0VTWXSp1S09lM320owHMgv0meiNL.KrBmDH4-1784167771.8933072-1.0.1.1-mG8zDohTsYnzbdLhxHqqWCG4vpgxVOUSnPdauTqTqthlf1UJGhFNjLyyLBAOhf_6Bh4M_lKfD4E19XhBtqzMR4.cMo.FvMihOLPHhZaydT2W085aZa19O8Z5Ro4hy0wl; HttpOnly; SameSite=None; Secure; Path=/; Domain=snort.org; Expires=Thu, 16 Jul 2026 02:39:31 GMT
    server-timing cfCacheStatus;desc= DYNAMIC
    server-timing cfEdge;dur=11,cfOrigin;dur=20
    cf-ray a1bd771e5a907a75-CDG
    alt-svc h3= :443 ; ma=86400
    HTTP/2 103
    link <htt????/fonts.googleapis.com>; rel=preconnect
    HTTP/2 200
    date Thu, 16 Jul 2026 02:09:31 GMT
    content-type text/html; charset=utf-8
    strict-transport-security max-age=15552000
    report-to group : cf-nel , max_age :604800, endpoints :[ url : htt????/a.nel.cloudflare.com/report/v4?s=kANMyrnHM1be8QJQuViP%2B5foftu3W2I6fGjv7xxsTfoMcEA0CBsQJYjbGbZB9WgThD6dmhtOf4yp1Sz1rDb9JAiasgZ1hx5X5QWtBJCbcP0Y4U5cFXuWs%2B7tXDlq90FEiA%3D%3D ]
    nel report_to : cf-nel , success_fraction :0.0, max_age :604800
    access-control-allow-origin *
    cache-control public, max-age=0, must-revalidate
    x-content-type-options nosniff
    link <htt????/fonts.googleapis.com>; rel= preconnect
    referrer-policy strict-origin-when-cross-origin
    server-timing cfCacheStatus;desc= DYNAMIC
    server-timing cfEdge;dur=5,cfOrigin;dur=20
    server cloudflare
    cf-cache-status DYNAMIC
    vary accept-encoding
    set-cookie __cf_bm=ZXDbiUP8bF1XAWW_nMWLsoDOMSAaDrPo4ZUYXwMb97g-1784167771.9328353-1.0.1.1-NMrdpkEjGXyUoNnaJUrwVePifqAdfjPX1awv.Tadqgn.TmBSc1f1hkqhkxhhuxB7XMkeRSpa9oVgc05TmssPfgYbVv62rlSSmh_5Z4tK27.CYCHsu7XFHKlIsLjv6aug; HttpOnly; SameSite=None; Secure; Path=/; Domain=snort.org; Expires=Thu, 16 Jul 2026 02:39:31 GMT
    content-encoding gzip
    cf-ray a1bd771e9ad77a75-CDG
    alt-svc h3= :443 ; ma=86400

    Meta Tags

    title="Configuration - Snort 3 Rule Writing Guide"
    charset="UTF-8"
    content="text/html; charset=utf-8" http-equiv="Content-Type"
    name="description" content=""
    name="viewport" content="width=device-width, initial-scale=1"
    name="theme-color" content="#ffffff"

    Load Info

    page size33316
    load time (s)0.117186
    redirect count2
    speed download66239
    server IP 104.16.91.19
    * all occurrences of the string "http://" have been changed to "htt???/"