- rules have a fairly simple format:
ACTION PROTOCOL SRCADDR SRCPORT DESTADDR DESTPORT ( RULE OPTIONS; )
- A simple rule is like this:
alert tcp any any -> LOCALIP 22 (msg: 'attempts SSH connect'; sid: 123456; )
- to see all activity on the network:
alert tcp any any -> any any (msg: 'net traffic';)
NEXT
PREVIOUS
Master Index