Snort mailing list archives
Re: memory refresh, please...
From: wkitty42--- via Snort-users <snort-users () lists snort org>
Date: Mon, 12 Aug 2019 16:43:41 -0400
On 8/12/19 4:16 PM, Joel Esler (jesler) wrote:
$EXTERNAL_NET any -> $HOME_NET any and $HOME_NET any -> $EXTERNAL_NET any does the "->" actually mean anything? is the one on the left the "originator" and the one on the right the "destination"? it has been so long and my brain is fried in this heat :/Yes. Direction in which it is flowing. Assuming HOME_NET is set, HOME_NET should be the network you are protecting. EXTERNAL_NET is everything else.
ahhh... hummm... client connects server transmits client transmitsserver transmits <- this transmission is what we're after if it matches the rule content...
here's the rule as posted originally...alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"LOCAL.RULES Failed login with blocked user name"; flow:from_server,established; content:"|21|Failed login with blocked user name|3a|"; classtype:attempted-user; sid:100000024; rev:2;)
if: "it" is the content we're looking for, "->" is the direction of the flow, and the "flow:from_server" is correct,then the above rule should be firing when the server sends the "content" data, right?
as for your question, i think those are both the same thing as are their opposites, from_client and to_server... right?from_client and to_server are exactly the same. In fact, in the code, one references the other.
welp, maybe my brain isn't as fried as i thought :P
as an example, we have another rule that is almost identical to the one posted but it wasn't working until we swapped "external_net port" and "home_net port"... once they were swapped, the rule started firing as expected... now we have this new rule and a similar situation but it is not firing as expected...How can I help?
you're helping to clear the cobwebs now i think... this is almost embarrassing :lol:
--
NOTE: No off-list assistance is given without prior approval.
*Please keep mailing list traffic on the list unless*
*a signed and pre-paid contract is in effect with us.*
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users
To unsubscribe, send an email to:
snort-users-leave () lists snort org
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- memory refresh, please... wkitty42--- via Snort-users (Aug 12)
- Re: memory refresh, please... Joel Esler (jesler) via Snort-users (Aug 12)
- Re: memory refresh, please... wkitty42--- via Snort-users (Aug 12)
- Re: memory refresh, please... Joel Esler (jesler) via Snort-users (Aug 12)
- Re: memory refresh, please... wkitty42--- via Snort-users (Aug 12)
- Re: memory refresh, please... wkitty42--- via Snort-users (Aug 13)
- Re: memory refresh, please... wkitty42--- via Snort-users (Aug 12)
- Re: memory refresh, please... Joel Esler (jesler) via Snort-users (Aug 12)