[Snort-users] Snort rule question

Matt Kettler mkettler at ...4108...
Thu Jun 26 10:19:12 EDT 2003


At 06:37 AM 6/26/2003 -0600, James Lay wrote:
>alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"Open Mail Relay 
>Attempt"; content:"Relay access denied"; classtype:mail-abuse; 
>sid:1000001; rev:1;)
>
>Now the above rule works.  I originally had:
>
>alert tcp $EXTERNAL_NET any <- $SMTP_SERVERS 25 (msg:"Open Mail Relay 
>Attempt"; content:"Relay access denied"; classtype:mail-abuse; 
>sid:1000001; rev:1;)
>
>And it did not work.  Any reason the two aren't equivalent?

Because <- is invalid.

See http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.2.5

"Also, note that there is no <- operator. In snort versions before 1.8.7, 
the direction operator did not have proper error checking and many people 
used an invalid token. The reason the <- does not exist is so that rules 
always read consistently. "






More information about the Snort-users mailing list