Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Is this a valid rule?

From: Alberto Gonzalez <ag-snort () cerebro violating us>
Date: Thu, 24 Oct 2002 23:33:50 -0700
and IRC ports (for most servers I've seen) 6667 not 6008

Lefevre, Steven wrote:


I have this rule in my local rule file:

alert tcp $EXTERNAL_NET any -> $HOME_NET 6008:6009 (msg:"IRC Activity")

(It's to detect IRC traffic ;)

Why does snort always choke on it? I've looked it over 100 times and it
seems to follow the syntax.



-------------------------------------------------------
This sf.net email is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0003en 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



--
The secret to success is to start from scratch and keep on scratching.




-------------------------------------------------------
This sf.net email is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0003en 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: