[Snort-users] snort rules flow option

Brian bmc at ...950...
Fri Apr 25 06:53:09 EDT 2003

On Mon, Apr 14, 2003 at 03:42:11PM -0400, Michael Goodman wrote:
> Could someone please explain to me the difference between
> to_client and from_server?  The snort users manual describes both as 
> trigger on server responses from A to B.  Thanks.

It is a semantics thing.

If the rule is looking for the server attacking the client, we use the 
"to_client" keyword.

If the rule is looking for responses from an attack targeted at the server,
we use the "from_server" keyword.

This is my attempt to provide a bit more context to rules.


More information about the Snort-users mailing list