Snort uses predefined rules for IDS/IPS. It has 3 main modes: Packet Sniffing, Packet Logging & Network Intrusion Detection. Modes include NIDS, HIDS, NIPS, BIPS, WIPS & HBIPS. Techniques used are Signature Based, Behavior Based & Policy Based.

Yara rules detect malware by matching binary & textual patterns in files. A rule has 3 parts: Meta, Strings (search for specific texts), & Conditions (flag file if met). Example: `$hello_word = "Hello world" nocase and filesize <20kb`.

Cyber kill chain framework identifies 7 phases: Reconnaissance, Weaponization, Delivery, Exploitation, Installation (persistent backdoor), Command & Control, and Actions on Objectives (exfiltration).

Pyramid of pain: attackers' difficulty level in changing indicators (hashes, IP, domain names). Hashes: authenticating files & messages with fixed-size values. Tools: VirusTotal, MetaDefender Cloud, Powershell script.