So you have written a few basic rules for Snort, but are you looking for something a bit more indepth? Hopefully this quick tutorial will get you on your way.

For example, here is a basic rule:

alert tcp any any -> any 502 (msg:"Modbus traffic!"; sid:1111101;)

Now lets go a bit further, and using an industrial protocol called modbus, I have created this capture to illustrate this example: