Emerging Threat compromised rules

[Peter Charbonneau <Peter.Charbonneau () WILLIAMS EDU>]

Good morning,

  I was looking thru the SNORT ET rules (emerging-compromised.rules)
and saw that they were written in the form of:

        alert ip [ LIST OF BOGUS IPs HERE ] any -> $HOME_NET any (msg:"ET
COMPROMISED Known Compromised or Hostile Host Traffic (5)";
reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts;
threshold: type limit, track by_src, seconds 60, count 1;
classtype:misc-attack; sid:2500004; rev:1397;)


My question is, why [ IPs ] any -> $HOME_NET any ... why not $HOME_NET
any -> [ IPs ] any ?

Does the order "into my network" versus "out of my network" buy me
anything other than the obvious -- forewarned is forearmed?

I do get alot of false positives from these sigs because inbound mail,
mostly.

PeteC


Peter Charbonneau
Sr. Network and Systems Administrator
Williams College
(413) 597-3408 (office)
(413) 822-2922 (cell)