memory refresh, please...

[wkitty42--- via Snort-users <snort-users () lists snort org>]

when writing rules, does it matter which comes first? $EXTERNAL_NET or $HOME_NET 
if you are using flow:from_server,established; or flow:to_client,established; ??

scenario: telnet session; external_net client; home_net server; client sends 
certain content; server sends specific response content.

we are trying to catch the server's response content and alert on it... just not 
sure if we're looking at the stream from the correct POV... it has been a while 
since writing a fresh rule :(


alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"LOCAL.RULES Failed login with 
blocked user name"; flow:from_server,established; content:"|21|Failed login with 
blocked user name|3a|"; classtype
:attempted-user; sid:100000024; rev:2;)



--
 NOTE: No off-list assistance is given without prior approval.
       *Please keep mailing list traffic on the list unless*
       *a signed and pre-paid contract is in effect with us.*
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette