As the necessary complement to Firewall, Intrusion Detection System can help the compute system to deal with network attack, which expands the security manage ability of system administrator and enhance the integrity of information security system architecture. IDS are installed to identify attacks and to react by usually generating an alert or blocking suspicious activity. Snort is a lightweight Network Intrusion Detection System(NIDS), and it detects intrusion with misuse detecting technology. Snort rules, acting as a knowledge base when it detect invade activity, is its heart, and will argument as kinds of intrusions increase. Software leak appears frequently, new network intrusion and varieties of old attacks continually bring threat and damage to computer network, in such condition, we should add new Snort rules in time to detect intrusion effectively, and increase the detect ability of Snort.
Snort rule is a simple and lightweight description language which can detect the data package for intrusion in the network. It provides a simple and flexible method to describe intrusion activity. What’s more, it is developing, in order to describe the attack signature more exactly. In this paper, it presents the way to get NIDS rules from attack signature, and introduces the components of Snort and how it works; it analyzes the grammar structure of Snort rules and how to optimize rules to decrease false alarm and alarm failure; also, it propose three methods to expand Snort rules and give examples. Anymore, it adds new rules based on tow attack signatures to rule house, and simulate the attack of worm with a program, then check whether it is effective by examine alert information.