Snort mailing list archives

Is this a valid rule?

From: SLefevre () i-m-i-international com (Lefevre, Steven)
Date: Thu, 24 Oct 2002 14:52:24 -0400

I have this rule in my local rule file:

alert tcp $EXTERNAL_NET any -> $HOME_NET 6008:6009 (msg:"IRC Activity")

(It's to detect IRC traffic ;)

Why does snort always choke on it? I've looked it over 100 times and it
seems to follow the syntax.



-------------------------------------------------------
This sf.net email is sponsored by: Influence the future 
of Java(TM) technology. Join the Java Community 
Process(SM) (JCP(SM)) program now. 
http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0003en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Portscan 2 question Joe Giles (Oct 24)
- Is this a valid rule? Lefevre, Steven (Oct 24)
  - Re: Is this a valid rule? Alberto Gonzalez (Oct 24)
- Re: Portscan 2 question Robby Desmond (Oct 24)
  - Re: Portscan 2 question Joe Giles (Oct 24)
  - Re: Portscan 2 question Joe Giles (Oct 24)
    - Re: Portscan 2 question Gary Verhulp (Oct 24)
  - Message not available
    - Re: Portscan 2 question Joe Giles (Oct 24)
- <Possible follow-ups>
- RE: Portscan 2 question Joe Giles (Oct 24)
- RE: Portscan 2 question Soren Macbeth (Oct 24)
  - RE: Portscan 2 question Joe Giles (Oct 24)
- RE: Portscan 2 question Soren Macbeth (Oct 24)

(Thread continues...)