[Snort-users] Noob question about different parts of a rule

stormshadow storm-shadow at ...5068...
Mon Apr 28 12:54:13 EDT 2003


I was looking at this rule trying to learn what everything in there 
means:
alert tcp $HOME_NET 12345:12346 -> $EXTERNAL_NET any (msg:"BACKDOOR 
netbus active"; flow:from_server,established; content:"NetBus"; 
reference:arachnids,401; classtype:misc-activity; sid:109; rev:4;) 

Can anyone explain this rule to me? I know that there are 3 modes 
right? (alert, log, and something else). What does the $HOME_NET and 
$EXTERNAL_NET mean? Why do you say "any"?

Is this rule stating "alert any traffic outbound from port 12345 and 
123456? 
Confused .
TIA
Storm








More information about the Snort-users mailing list