Generate Snort 3.9.7.0 IDS rules from a natural-language operator intent. Use whenever you need to write a new rule, refine an existing one, or recover from a syntax error.
Reuse Snort rules that already fired in past experiments. ALWAYS consult this skill at the start of every cycle BEFORE writing a new rule. Validated rules are known-good detection patterns persisted per attack_id under data/validated_rules/.
How to produce an evasion variant of a previously successful attack. Use this when request_variant=True on the attacker request.
How to execute the selected attack container on the attacker host and interpret the result.
How to map an operator intent to one of the attacks discovered on the attacker host. Use this before calling execute_attack.
Rule-generation refinement playbook for MQTT Brute Force — credential brute force against MQTT brokers on TCP port 1883 using dictionary attacks. Load when the operator intent maps to attack_id mqtt-bruteforce.
Rule-generation refinement playbook for MQTT LWT Abuse — abuse of MQTT Last Will and Testament to publish malicious payloads under the broker's trusted identity. Load when the operator intent maps to attack_id mqtt-lwt-abuse.
Rule-generation refinement playbook for MQTT Publisher Flood — PUBLISH flood saturating broker memory, bandwidth, and subscriber processing pipelines. Load when the operator intent maps to attack_id mqtt-publisher-flood.