[Snort-devel] New feature wanted: Locate the bad guy?

Gianni Tedesco gianni at ...1804...
Fri Jul 4 03:29:05 EDT 2003

On Mon, 2003-06-23 at 10:57, Martin Olsson wrote:
> One could exchange this with labels indicating the type of the packet:
> Q = This is a queary
> R = This is a response
> A = Any of the two

I kinda like using the direction arrow for it, so the first address is
always bad guy.


would work for most things. Then for sigs like 'id check returns root'
the rule is:


and bi-directional rules <> as you say are special case...

// Gianni Tedesco (gianni at scaramanga dot co dot uk)
lynx --source www.scaramanga.co.uk/gianni-at-ecsc.asc | gpg --import
8646BE7D: 6D9F 2287 870E A2C9 8F60 3A3C 91B5 7669 8646 BE7D

More information about the Snort-devel mailing list