Skip navigation.


Rule2Alert's goal, is to read in snort rules and generate packets that would make snort produce an alert. It is written entirely in python and utilizes Scapy to craft the packets. It is still under heavy development with myself, Pablo Rincon, and Will Metcalf.

Currently, it is able to generate pcaps based off simple content snort compatible rules. I loaded in the emerging-all.rules file and was able to create a pcap that alerted snort 514 times. The project is not ready to be released yet, but the results look promising so far. This project is currently under the Open Information Security Foundation, as all of the project members are currently working on the new IDS/IPS system Suricata.


alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Snort alert"; flow:to_server,established; content:"|56 24 5a 63|"; content:"hey"; distance:5; within:12; sid:2000000; rev:1;)

famousjs@youbantoo:~/rule2alert$ sudo python -vt -c /etc/snort/snort.conf -f rules/test.rule -w test.pcap
Ether / IP / TCP > S
Ether / IP / TCP > SA
Ether / IP / TCP > A
Ether / IP / TCP > PA / Raw

-------- Hex Payload Start ----------
56 24 5a 63 20 20 20 20
20 68 65 79
--------- Hex Payload End -----------

Loaded 1 rules successfully!
Writing packets to pcap...
Successfully alerted on all loaded rules