Snort mailing list archives

Re: snort rules flow option

From: Brian <bmc () snort org>
Date: Fri, 25 Apr 2003 09:50:35 -0400

On Mon, Apr 14, 2003 at 03:42:11PM -0400, Michael Goodman wrote:

Could someone please explain to me the difference between
to_client and from_server?  The snort users manual describes both as 
trigger on server responses from A to B.  Thanks.


It is a semantics thing.

If the rule is looking for the server attacking the client, we use the 
"to_client" keyword.

If the rule is looking for responses from an attack targeted at the server,
we use the "from_server" keyword.

This is my attempt to provide a bit more context to rules.

-brian


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

snort rules flow option Michael Goodman (Apr 14)
- Re: snort rules flow option Chris Green (Apr 21)
- Re: snort rules flow option Brian (Apr 25)