• (msg: 'here is how to log a custom message';)
  • ttl, tos, id: additional matching.
    ttl matches if the ttl is the same:
    alert udp 192.168.2.10 any -> any any (ttl: 1; msg: 'Outgoing traceroute detected'; sid: 123458;)
    alert tcp any any -> 192.168.2.10 any (id: 31337; msg: 'some ELEET cracker';sid: 131337;)
  • ipopts: see RFC 791
  • logto: different logfile
  • content: (content: 'MLM'; msg: 'some pyramid scheme';)
  • lots of others. See docs
    • INDEX
    PREVIOUS
    Master Index