Securing Cisco Networks with Snort Rule Writing Best Practices (SSFRULES)


Course Content

Securing Cisco® Networks with Snort Rule Writing Best Practices (SSFRULES) is an instructor-led course offered by Learning Services High-Touch Delivery. It is a lab-intensive course that introduces students to the open source Snort community and rule-writing best practices.

The course begins by identifying the key features and characteristics of a typical Snort rule development environment. You will develop and test custom rules in a preinstalled Snort environment and identify how to use advanced rule-writing techniques. You will investigate how to include OpenAppID in your rules and also identify how to filter rules and monitor their performance.

This course also provides instruction and lab exercises on how to detect certain types of attacks, such as buffer overflows, utilizing various rule-writing techniques. You will test your rule-writing skills in two challenges: a theoretical challenge that tests knowledge of rule syntax and usage, and a practical challenge in which we present an exploit for you to analyze and research so you can defend your installations against the attack.

This course combines lecture materials and hands-on labs throughout to make sure that you are able to successfully understand and implement open source rules.

Who should attend

This course is designed for technical professionals who need to write rules for use with Snort-based intrusion detection systems (IDS) and intrusion prevention systems (IPS).
  • Security administrators
  • Security consultants
  • Network administrators
  • System engineers
  • Technical support personnel
  • Channel partners and resellers


  • Technical understanding of TCP/IP networking and network architecture
  • Working knowledge of how to use and operate Cisco Sourcefire® Systems or open source Snort
  • Working knowledge of command-line text editing tools, such as the vi editor
  • Basic rule-writing experience is suggested

Course Objectives

Upon completion of this course, you should be able to:
  • Understand rule structure, rule syntax, rule options, and their usage
  • Configure and create Snort rules
  • Understand the rule optimization process to create efficient rules
  • Understand preprocessors and how data is presented to the rule engine
  • Create and implement functional Regular Expressions in Snort rules
  • Design and apply rules using byte_jump/test/extract rule options
  • Understand the concepts behind protocol modeling to write rules that perform better

Outline: Securing Cisco Networks with Snort Rule Writing Best Practices (SSFRULES)

  • Module 1: Welcome to the Sourcefire Virtual Network
  • Module 2: Basic Rule Syntax and Usage
  • Module 3: Rule Optimization
  • Module 4: Using PCRE in Rules
  • Module 5: Using Byte_Jump/Test/Extract Rule Options
  • Module 6: Protocol Modeling Concepts and Using Flowbits in Rule Writing
  • Module 7: Case Sudies in Rule Writing and Packet Analysis
  • Module 8: Rule Performance Monitoring
  • Module 9: Rule Writing Practiceal Labs, Exercises, and Challenges
    • Lab 1: Writing Custom Rules
    • Lab 2: Drop Rules
    • Lab 3: Replacing Content
    • Lab 4: SSH Rule Scenerio
    • Lab 5: Optimizing Rules
    • Lab 6: Using PCRE test to Test Regex Options
    • Lab 7:Use PCREtest to Test Custom Regular Expressions
    • Lab 8: Writing Rules That Contain PCRE
    • Lab 9: Detecting SADMIND Trust with Byte_Jump and Byte_test
    • Lab 10: Using the Bitwise AND Operation in Byte_Test Rule Option
    • Lab 11: Detecting ZenWorks Directory Traversal Using Byte_Extract
    • Lab 12: Writing a Flowbit Rule
    • Lab 13: Extra Flowbits Challenge
    • Lab 14: Strengthen Your Brute-Force Rule with Flowbits
    • Lab 15: Research and Packet Analysis
    • Lab 16: Revisiting the Kaminsky Vulnerability
    • Lab 17: Configuring Rule Profiling
    • Lab 18: Testing Rule Performance
    • Lab 19: Configure Rule Profiling to View PCRE Performance
    • Lab 20: Preventing User Access to a Restricted Site
    • Lab 21: SQL Injection
    • Lab 22: The SQL Attack Revisited
Online Training

Duration 3 days

  • Canada: CAD 4,060
  • Cisco Learning Credits: 30 CLC
Classroom Training

Duration 3 days

  • Canada: CAD 4,060
  • Cisco Learning Credits: 30 CLC
Click on town name to book Schedule
This is an Instructor-Led Classroom course
Fast Lane will carry out all guaranteed training regardless of the number of attendees, exempt from force majeure or other unexpected events, like e.g. accidents or illness of the trainer, which prevent the course from being conducted.
This computer icon in the schedule indicates that this date/time will be conducted as Instructor-Led Online Training.
This is a FLEX course, which is delivered both virtually and in the classroom.
  *   This class is delivered by a partner.

Currently there are no training dates scheduled for this course.  For enquiries please write to info@fastlaneca.com.

United States
Apr 7-9, 2020 Guaranteed to Run Online Training 09:00 US/Eastern * Enroll
Jun 1-3, 2020 Guaranteed to Run Online Training 09:00 US/Central * Enroll

Fast Lane Flex™ Classroom If you can't find a suitable date, don't forget to check our world-wide FLEX™ training schedule.