Rule Anatomy

All standard text rules contain two logical sections: the rule header and the rule options. The rule header contains:

the rule's action or type
the protocol
the source and destination IP addresses and netmasks
direction indicators showing the flow of traffic from source to destination
the source and destination ports

The rule options section contains:

event messages
keywords and their parameters and arguments
patterns that a packet’s payload must match to trigger the rule
specifications of which parts of the packet the rules engine should inspect

The following diagram illustrates the parts of a rule:

Diagram illustrating the components of a standard text rule: the rule header and the rule options.

Note that the options section of a rule is the section enclosed in parentheses. The intrusion rules editor provides an easy-to-use interface to help you build standard text rules.