[Oisf-users] Suricata 'alert http' rules using $HTTP_PORTS
Darren Spruell
phatbuckett at gmail.com
Mon Sep 12 19:56:25 UTC 2011
There's a number of rules in the Suricata rulesets (ET open, Pro) that
use the following rule header constructs:
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
Is it intended to be using 'alert http" together with port-bound
variables? I'd expect more of the 'alert http $EXTERNAL_NET any ->
$HOME_NET any' construct although I can see restricting ports for
performance reasons in some cases.
--
Darren Spruell
phatbuckett at gmail.com
More information about the Oisf-users
mailing list