3.3 Rule Options

Rule options form the heart of Snort's intrusion detection engine, combining ease of use with power and flexibility. All Snort rule options are separated from each other using the semicolon (;) character. Rule option keywords are separated from their arguments with a colon (:) character.

There are four major categories of rule options.

These options provide information about the rule but do not have any affect during detection

These options all look for data inside the packet payload and can be inter-related

These options look for non-payload data

These options are rule specific triggers that happen after a rule has “fired.”