[Snort-sigs] newby quistin

Matt Kettler mkettler at ...189...
Wed Apr 16 09:58:06 EDT 2003

You're missing a protocol, you need to specify what type of packet to 
match.. IP, TCP, UDP, etc.. Offhand I'm not sure if IRC is tcp or udp, but 
here's what it should look like, assuming IRC is tcp based:

suspicious tcp $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC Server";

At 12:28 AM 4/16/2003 -0700, David Davis wrote:
>i#suspicious $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC Server";)
>well my quistion is  when  i place suspicious $HOME_NET any -> $HOME_NET 
>6667 (msg:"Internal IRC in a rules file it say's
>Bad protocol: any
>any ideas on this and how to correct this issue ?
>and thankx in advance
