Snort/Suricata rule structure: action protocol src_ip src_port direction dst_ip dst_port (options). Example: alert tcp any any → $HOME_NET 22 (msg:"SSH brute force"; threshold:type both,track by_src,count 5,seconds 60;)
Suricata is the modern successor to Snort — supports multi-threading and more protocol support. Rule options: content (byte pattern), pcre (regex), http.uri (HTTP-specific), threshold (frequency-based). Emerging Threats Pro and ET Open provide high-quality community rules. Always test new rules in detect mode before blocking.