RULE WRITING

<action> <protocol> <sourceIP> <sourcePort> <direction> <destinationIP> <destinationPort> (options {general rule options | payload rule options | non-payload rule options}; sid:uniqueID; rev:revisionNumber;)

 * Action: Specifies what Snort should do when the rule matches. Examples: alert, log, drop.
    - alert: Generate an alert.
    - log: Log the packet.
    - pass: Ignore the packet.
    - drop: Drop the packet (IPS mode).
    - reject: Drop the packet and send a TCP RST or ICMP unreachable.
    - sdrop: Silent drop, no logging.
    
 * Protocol: Network protocol to match: tcp, udp, icmp, or ip.
 * Source IP: Source IP or range. Use any for all IPs, negate with !. Example: 192.168.1.0/24.
 * Source Port: Source port or range. Use any for all ports. Example: 80, 1:1024, !443.
 * Direction: Packet flow direction: -> (unidirectional), <-> (bidirectional).
 * Destination IP: Destination IP or range. Use any for all IPs, negate with !.
 * Destination Port: Destination port or range. Use any for all ports.
 
 * Options:  Detection and alert options enclosed in parentheses ( ).
    - Rule Options Syntax
       - (option1:value1; option2:value2; ...)
          - General Rule Options: Fundamental rule options for Snort. 
             - msg: summarizes the triggered event
             - sid (aka Snort rule ID): unique rule identifier
                - scope:
                   - <100: Reserved rules
                     100-999,999: Rules came with the build.
                     >=1,000,000: Rules created by user (mandatory).
             - reference: additional information explaining the purpose of the rule or threat pattern
                - assists analysts during the alert and incident investigation
             - rev: an indicator of how many times the rule had revisions; used for performance and efficiency issues
            Payload Rule Options: Rule options that help to investigate the payload data. These options are helpful to detect specific payload patterns.
             - content: matches specific payload data by ASCII, HEX or both (case sensitive)
                - ASCII mode
                   - alert tcp any any <> any 80  (msg: "GET Request Found"; content:"GET"; sid: 100001; rev:1;)
                - HEX mode
                   - alert tcp any any <> any 80  (msg: "GET Request Found"; content:"|47 45 54|"; sid: 100001; rev:1;)
             - nocase: disables case sensitivity. Used for enhancing the content searches.
                - alert tcp any any <> any 80  (msg: "GET Request Found"; content:"GET"; nocase; sid: 100001; rev:1;)
             - fast_pattern:
                - prioritizes content search (case insensitive) to speed up the payload search operation; usage is mandatory when using multiple "content" options
                   - alert tcp any any <> any 80  (msg: "GET Request Found"; content:"GET"; fast_pattern; content:"www";  sid:100001; rev:1;)
                      - tells snort to use the first content option ("GET") for the initial packet match.
            Non-Payload Rule Options: Rule options that focus on non-payload data. These options will help create specific patterns and identify network issues.
             - id: Filtering the IP id field
                - alert tcp any any <> any any (msg: "ID TEST"; id:123456; sid: 100001; rev:1;)
             - flag: Filtering the TCP flags (F - FIN, S - SYN, R - RST, P - PSH, A - ACK, U - URG)
                - alert tcp any any <> any any (msg: "FLAG TEST"; flags:S;  sid: 100001; rev:1;)
             - dsize: Filtering the packet payload size (dsize:min<>max; dsize:>100 dsize:<100)
                - alert ip any any <> any any (msg: "SEQ TEST"; dsize:100<>300;  sid: 100001; rev:1;)
             - sameip: Filtering the source and destination IP addresses for duplication.
                - alert ip any any <> any any (msg: "SAME-IP TEST";  sameip; sid: 100001; rev:1;)