Spring rule-writing review
Six months on from a serious overhaul of my Snort ruleset, time for a structured review. What is firing usefully, what is producing noise, what I have learned about rule design from running them at scale.
Notes from the field
Writing
Long-form thinking on cyber defence, detection, and resilience — from Slackware-era honeypots through to AI-driven SOC analytics.
Showing posts tagged detection engineering — 2 results.
Snort rule-writing: what a fortnight of trying has taught me
Two weeks of trying to write Snort rules that fire on actual attacks and silent on actual not-attacks. The lessons are nearly all about negative space — what your rule does not match.