Writing Snort Rules

Figure out what is "bad"
Capture traffic that includes the "bad stuff"
Learn the protocol
Figure out why the "bad stuff" is bad

Write a rule
Test the rule
Rewrite a rule
Test the rule
Write Rewrite a rule
Test the rule
Write Rewrite Rewrite a rule
Test Test Test 

Watchout for sig update!