Rule development for Snort, which is one of the most popular network intrusion detection systems, is a critical skill to detect ever emerging new cyber attacks. This paper describes a Snort lab that helps students to learn Snort rules effectively. For beginners, it is difficult to determine if a rule is correctly written without being able to test them in a realistic setting. The uniqueness of this hands-on learning lab is that it allows students learn how to write Snort rules by testing and debugging their rules against the live network traffic replay. The lab requires students to learn and apply various features of Snort rules to successfully detect the intrusions. The intrusion traffic packets are real captures that were downloaded from various sources on the Internet.