Critical infrastructures conduct important services for the countries where they are via help of SCADA (Supervisory Control and Data Acquisition) systems/networks. Even little hitches in these services cause severe economic and environmental damage to countries where these systems are. When the SCADA systems used at the first time, unsecured communication protocols were not considered as a threat since these systems are in the isolated environment. When the protocols became public and standardized, SCADA systems started using TCP/IP technologies. This caused SCADA systems vulnerable to attacks come over TCP/IP. Conventional IDS (Intrusion Detection System)s which are used in IT sector are not enough to detect attacks in SCADA systems because of different structure of these systems. Generating true alarms depends on writing true rules. For this reason, structures and vulnerabilities of used protocols should be known. In this study, Modbus protocol which is often used in critical infrastructures is reviewed and how to write SNORT IDS rule for this protocol is explained and intended to improve SNORT IDS.