Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Noob question about different parts of a rule

From: stormshadow <storm-shadow () comcast net>
Date: Mon, 28 Apr 2003 15:50:32 -0400

I was looking at this rule trying to learn what everything in there 
means:
alert tcp $HOME_NET 12345:12346 -> $EXTERNAL_NET any (msg:"BACKDOOR 
netbus active"; flow:from_server,established; content:"NetBus"; 
reference:arachnids,401; classtype:misc-activity; sid:109; rev:4;) 

Can anyone explain this rule to me? I know that there are 3 modes 
right? (alert, log, and something else). What does the $HOME_NET and 
$EXTERNAL_NET mean? Why do you say "any"?

Is this rule stating "alert any traffic outbound from port 12345 and 
123456? 
Confused .
TIA
Storm






-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: