I use linux, and yet I tried out OpenBSD which was 3.5, I manage to learn it quickly especially the configuration part for apache, ftpd and other services, however my main purpose of using OpenBSD would be running a security device since OpenBSD itself is secured by default. Since OpenBSD offers it's own firewall calls PF, hence I start learning it by reading the manual and the documentation in openbsd.org, quickly googling and learning how other people put the rules together, it seems that PF is much simpler and easy to understand, I'm now able to write PF rules file without much refering to it's manual and documentations, more fun as well since less headache on loading PF rules.
Last year I start writing snort rules after joining new company, I have used snort since two years back but never write any rules till last year where I have to. At first it looks complicated but after a while you might feel comfortable since the tricky part would be how to write the rules that detecting the intrusions perfectly instead of it's syntax.
Apparently either PF Firewall rules or Snort IDS rules are very human readable and you can quickly understand what it does or perform. Then I found out why I can quickly adapt to Snort rules writing since it is actually identical and similar to writing PF rules. Let's take a look at both rules writing structure.
Below it's the syntax of PF rules
(pf action) [log] [quick] on [interface] [af] [protocol] from [src_addr[port src_port]] (direction) [dst_addr[port dst_port]] [flags tcp_flags] [state]
And yet the syntax of Snort rule
(snort action) [protocol] [src_addr[src_port]] (direction) [dst_addr[dst_port]] (msg:"PF Snort l33t"; optional classtype; optional snort ID (sid); optional revision (rev) number;)
I have bold the similarities between them, and if you read them correctly, you may find both of them are almost similar and not much differences, however don't you think this is cool, I have killed two birds with one stone. PF makes me easy going on Snort (:])
What a Coincidence !!!!!