Re: memory refresh, please...

["Joel Esler \(jesler\) via Snort-users" <snort-users () lists snort org>]

> On Aug 12, 2019, at 3:52 PM, wkitty42 () windstream net wrote:
>
> On 8/12/19 3:27 PM, Joel Esler (jesler) wrote:
> > The thing I am stumbling over is, are you asking the difference between "from_server" and "to_client"?
>
> more like the difference between
>
>  $EXTERNAL_NET any -> $HOME_NET any
>
> and
>
>  $HOME_NET any -> $EXTERNAL_NET any
>
> does the "->" actually mean anything?
> is the one on the left the "originator" and the one on the right the "destination"? it has been so long and my brain 
> is fried in this heat :/


Yes.  Direction in which it is flowing.  Assuming HOME_NET is set, HOME_NET should be the network you are protecting.  
EXTERNAL_NET is everything else.


> as for your question, i think those are both the same thing as are their opposites, from_client and to_server... 
> right?

from_client and to_server are exactly the same.   In fact, in the code, one references the other.  


> as an example, we have another rule that is almost identical to the one posted but it wasn't working until we swapped 
> "external_net port" and "home_net port"... once they were swapped, the rule started firing as expected... now we have 
> this new rule and a similar situation but it is not firing as expected...


How can I help?

> > > On Aug 12, 2019, at 2:33 PM, wkitty42--- via Snort-users <snort-users () lists snort org> wrote:
> > >
> > > when writing rules, does it matter which comes first? $EXTERNAL_NET or $HOME_NET if you are using 
> > > flow:from_server,established; or flow:to_client,established; ??
> > >
> > > scenario: telnet session; external_net client; home_net server; client sends certain content; server sends specific 
> > > response content.
> > >
> > > we are trying to catch the server's response content and alert on it... just not sure if we're looking at the 
> > > stream from the correct POV... it has been a while since writing a fresh rule :(
> > >
> > >
> > > alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"LOCAL.RULES Failed login with blocked user name"; 
> > > flow:from_server,established; content:"|21|Failed login with blocked user name|3a|"; classtype
> > > :attempted-user; sid:100000024; rev:2;)
>
> -- 
> NOTE: No off-list assistance is given without prior approval.
>       *Please keep mailing list traffic on the list unless*
>       *a signed and pre-paid contract is in effect with us.*

Attachment: smime.p7s
Description:

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette