This paper presents a method to establish a rulebase based on multilayer intrusion detection. This rulebase contains two parts: the rulebase based on IP layer intrusion detection and the rulebase based on application layer intrusion detection. The former adopts a mixed quadratic network statistical model to test network traffic which has performances of dynamic principle and low False Positive Probability ( FPP) and low False Negative Probability ( FNP), and the rulebase is established using the twice-aggregation method. The latter is established by improved Snort. The simulation has proved that this intelligent rulebase can improve detection rate and ability to a large degree, and has low FPP and FNP.