Snort mailing list archives
Re: memory refresh, please...
From: wkitty42--- via Snort-users <snort-users () lists snort org>
Date: Mon, 12 Aug 2019 15:52:17 -0400
On 8/12/19 3:27 PM, Joel Esler (jesler) wrote:
The thing I am stumbling over is, are you asking the difference between "from_server" and "to_client"?
more like the difference between $EXTERNAL_NET any -> $HOME_NET any and $HOME_NET any -> $EXTERNAL_NET any does the "->" actually mean anything?is the one on the left the "originator" and the one on the right the "destination"? it has been so long and my brain is fried in this heat :/
as for your question, i think those are both the same thing as are their opposites, from_client and to_server... right?
as an example, we have another rule that is almost identical to the one posted but it wasn't working until we swapped "external_net port" and "home_net port"... once they were swapped, the rule started firing as expected... now we have this new rule and a similar situation but it is not firing as expected...
On Aug 12, 2019, at 2:33 PM, wkitty42--- via Snort-users <snort-users () lists snort org> wrote: when writing rules, does it matter which comes first? $EXTERNAL_NET or $HOME_NET if you are using flow:from_server,established; or flow:to_client,established; ?? scenario: telnet session; external_net client; home_net server; client sends certain content; server sends specific response content. we are trying to catch the server's response content and alert on it... just not sure if we're looking at the stream from the correct POV... it has been a while since writing a fresh rule :( alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"LOCAL.RULES Failed login with blocked user name"; flow:from_server,established; content:"|21|Failed login with blocked user name|3a|"; classtype :attempted-user; sid:100000024; rev:2;)
--
NOTE: No off-list assistance is given without prior approval.
*Please keep mailing list traffic on the list unless*
*a signed and pre-paid contract is in effect with us.*
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users
To unsubscribe, send an email to:
snort-users-leave () lists snort org
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- memory refresh, please... wkitty42--- via Snort-users (Aug 12)
- Re: memory refresh, please... Joel Esler (jesler) via Snort-users (Aug 12)
- Re: memory refresh, please... wkitty42--- via Snort-users (Aug 12)
- Re: memory refresh, please... Joel Esler (jesler) via Snort-users (Aug 12)
- Re: memory refresh, please... wkitty42--- via Snort-users (Aug 12)
- Re: memory refresh, please... wkitty42--- via Snort-users (Aug 13)
- Re: memory refresh, please... wkitty42--- via Snort-users (Aug 12)
- Re: memory refresh, please... Joel Esler (jesler) via Snort-users (Aug 12)