[Oisf-users] Suricata 'alert http' rules using $HTTP_PORTS

[Darren Spruell]

There's a number of rules in the Suricata rulesets (ET open, Pro) that
use the following rule header constructs:

alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS

Is it intended to be using 'alert http" together with port-bound
variables? I'd expect more of the 'alert http $EXTERNAL_NET any ->
$HOME_NET any' construct although I can see restricting ports for
performance reasons in some cases.

-- 
Darren Spruell
phatbuckett at gmail.com