Snort/SourceFire – Writing Signatures

Below is a custom signature that would create an alert on traffic running from any source to any destination with a destination port of 22, on flags push and ack, every 600 seconds.

alert tcp any any -> any 22 (msg:"SSH TRAFFIC"; flags:PA; classtype:not-suspicious; threshold: 
type limit, track by_dst, count 1 , seconds 600 ; sid:1000001; rev:1;)

Adding the Rule


Add the rule to the local.rules file and then make sure the local.rules is not commented out in the /etc/snort file.


Select the Sensor on the Defense Centre, or if stand alone just on the sensor. Then import the rule and upload to the sensor.

Rick Donato

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial