Snort/SourceFire - Writing Signatures
Below is a custom signature that would create an alert on traffic running from any source to any destination with a destination port of 22, on flags push and ack, every 600 seconds.
alert tcp any any -> any 22 (msg:"SSH TRAFFIC"; flags:PA; classtype:not-suspicious; threshold: type limit, track by_dst, count 1 , seconds 600 ; sid:1000001; rev:1;)
Adding the Rule
Add the rule to the local.rules file and then make sure the local.rules is not commented out in the /etc/snort file.
Select the Sensor on the Defense Centre, or if stand alone just on the sensor. Then import the rule and upload to the sensor.