Organizations deploy Intrusion Detection Systems (IDSs) like Suricata to defend against threats. Although rulesets, rules, and the resulting alerts have been studied previously, little is known about the process by which rules are engineered thus far. We aim to address the previously mentioned gaps by studying how network intrusion detection rules are derived from incidents. To this end, we propose the SuriCap measurement platform and organize Jeopardy-style workshops in which participants compete to engineer Suricata rules. We collect a rich dataset consisting of over 364 rules from 28 participants. Preliminary results suggest our experimental design is viable and, together with the SuriCap measurement platform, can enable us to answer several research questions surrounding the engineering process of network intrusion detection rules.