一键导入
rule-validation-workflow
How to validate a candidate Snort rule against the live IDS before deployment, interpret the result, and recover from syntax errors.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
How to validate a candidate Snort rule against the live IDS before deployment, interpret the result, and recover from syntax errors.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Generate Snort 3.9.7.0 IDS rules from a natural-language operator intent. Use whenever you need to write a new rule, refine an existing one, or recover from a syntax error.
Reuse Snort rules that already fired in past experiments. ALWAYS consult this skill at the start of every cycle BEFORE writing a new rule. Validated rules are known-good detection patterns persisted per attack_id under data/validated_rules/.
How to produce an evasion variant of a previously successful attack. Use this when request_variant=True on the attacker request.
How to execute the selected attack container on the attacker host and interpret the result.
How to map an operator intent to one of the attacks discovered on the attacker host. Use this before calling execute_attack.
Rule-generation refinement playbook for MQTT Brute Force — credential brute force against MQTT brokers on TCP port 1883 using dictionary attacks. Load when the operator intent maps to attack_id mqtt-bruteforce.
| name | rule-validation-workflow |
| description | How to validate a candidate Snort rule against the live IDS before deployment, interpret the result, and recover from syntax errors. |
Use this skill every time you produce a candidate Snort rule. Validation runs snort -T inside the IDS container via SSH, so it catches real syntax errors before deployment reloads the engine.
snort-rule-generation.assign_sid and deploy_rule.validate_rule_syntax(rule: str) -> str
Returns one of:
"VALID" — syntax accepted. You may proceed to assign_sid."INVALID: <error>" — syntax rejected. You MUST regenerate before deployment.sid:0; placeholder).VALID, proceed.INVALID, read the error message carefully. The most common causes are:
rawbytes, threshold, uricontent, resp, react, tag)nocase, offset, depth) that should be comma-separated inside the content optionflow:stateless combined with another flow optionrev, and call validate_rule_syntax again on the corrected rule.IterationResult.rules_attempted.You have at most max_internal_attempts regenerations per variant cycle. Spend them on real refinement, not on retries of identical syntax. If you exhaust the budget with only syntax errors, return IterationResult(fired=False, diagnosis="syntax-budget-exhausted: <last error>").