ワンクリックで
rule-deployment
How to assign a SID and deploy a validated Snort rule to the live IDS via the assign_sid and deploy_rule tools.
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
メニュー
How to assign a SID and deploy a validated Snort rule to the live IDS via the assign_sid and deploy_rule tools.
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
SOC 職業分類に基づく
Generate Snort 3.9.7.0 IDS rules from a natural-language operator intent. Use whenever you need to write a new rule, refine an existing one, or recover from a syntax error.
Reuse Snort rules that already fired in past experiments. ALWAYS consult this skill at the start of every cycle BEFORE writing a new rule. Validated rules are known-good detection patterns persisted per attack_id under data/validated_rules/.
How to produce an evasion variant of a previously successful attack. Use this when request_variant=True on the attacker request.
How to execute the selected attack container on the attacker host and interpret the result.
How to map an operator intent to one of the attacks discovered on the attacker host. Use this before calling execute_attack.
Rule-generation refinement playbook for MQTT Brute Force — credential brute force against MQTT brokers on TCP port 1883 using dictionary attacks. Load when the operator intent maps to attack_id mqtt-bruteforce.
| name | rule-deployment |
| description | How to assign a SID and deploy a validated Snort rule to the live IDS via the assign_sid and deploy_rule tools. |
Use this skill after rule-validation-workflow returns VALID for a candidate rule.
assign_sid(intent: str, rule: str) -> {"sid": int, "rule": "<rule with real SID>"} — replaces the sid:0; placeholder with a real, unique SID. Returns the SID number (you MUST remember it for check_alert_fired) and the rewritten rule.deploy_rule(rule_with_sid: str) -> "DEPLOYED" — writes the rule to the IDS rules file, ensures the include statement is present, and restarts the Snort container.assign_sid(intent, rule) with the validated rule.sid — you will pass it to check_alert_fired later.deploy_rule(rule_with_sid) with the rewritten rule.deploy_rule returns "DEPLOYED". Move on to trigger_attacker.deploy_rule raises IDSReloadError. This means the Snort container did not come back to healthy state — you cannot recover from this within the agent. Return IterationResult(fired=False, diagnosis="ids-reload-failed: <message>").Within one variant cycle you may regenerate rules multiple times, but only ONE rule is deployed at a time. Each deploy_rule call replaces the previous rule. Track each rule you tried in IterationResult.rules_attempted and the final one in IterationResult.final_rule.