So you have written a few basic rules for Snort, but are you looking for something a bit more indepth? Hopefully this quick tutorial will get you on your way.
For example, here is a basic rule:
alert tcp any any -> any 502 (msg:"Modbus traffic!"; sid:1111101;)
Now lets go a bit further, and using an industrial protocol called modbus, I have created this capture to illustrate this example:
To install Snort 2.9.0.5, you are now required to install the new DAQ or data-acquisition API dependency. To get it to be built and compiled you need to do the following: