[Snort-users] Is this a valid rule?

Lefevre, Steven SLefevre at ...7076...
Thu Oct 24 11:53:05 EDT 2002


I have this rule in my local rule file:

alert tcp $EXTERNAL_NET any -> $HOME_NET 6008:6009 (msg:"IRC Activity")

(It's to detect IRC traffic ;)

Why does snort always choke on it? I've looked it over 100 times and it
seems to follow the syntax.





More information about the Snort-users mailing list