Snort Signature Writing

Here is the link:
http://www.snort.org/docs/snort_htmanuals/htmanual_2.4/node14.html

Here are the basics...

Rule format:
Action Protocol SrcIP SrcPort Direction DestIP DestPort (Packet Sig. | Msg)

Example:
alert tcp any any -> 192.168.0.1/24 111 (content "|00 01 86 a5|"; msg: "mountd access")

Dynamic rules sets are also explained.