Thu Nov 23 16:36:19 EST 2017
'src foo and dst bar'
'not port 22'
Ignore SSH, but look at all other traffic from foo
'src host foo and not port 22'
All traffic to/from bar, and only telnet traffic from foo
'host bar and (src host foo and port 21)'
For more info on that, have a look at the tcpdump man page, as it gives
much better explanation than I can. Also have a look at this  for an
example of how to use it with Snort.
"When things get weird, the weird turn pro." H.S. Thompson
More information about the Snort-users