[Snort-users] Noob question about different parts of a rule
storm-shadow at ...5068...
Mon Apr 28 12:54:13 EDT 2003
I was looking at this rule trying to learn what everything in there
alert tcp $HOME_NET 12345:12346 -> $EXTERNAL_NET any (msg:"BACKDOOR
netbus active"; flow:from_server,established; content:"NetBus";
reference:arachnids,401; classtype:misc-activity; sid:109; rev:4;)
Can anyone explain this rule to me? I know that there are 3 modes
right? (alert, log, and something else). What does the $HOME_NET and
$EXTERNAL_NET mean? Why do you say "any"?
Is this rule stating "alert any traffic outbound from port 12345 and
More information about the Snort-users