Question: Snort Rule to alert on an "Outer" IP address

["LICATO, JAMES J via Snort-sigs" <snort-sigs () lists snort org>]

Hi,

I have PCAP files that contain both Inner SIP/DIP IP addresses, as well as, Outer SIP/DIP addresses.

Below is a bogus example Snort Rule I wrote,

alert tcp any any -> any any (content:"|00 11 22 33 44 55|"; sid=9000001; Rev:1;) ###Bogus for illustration purposes

where I am trying to alert on a specific byte pattern.

I would like to further restrict this rule to alert only when my Outer SIP IP address is a specific value.  Something 
to the effect,

alert tcp 192.168.100.40 any -> any any (content:"|00 11 22 33 44 55|"; sid=9000001; Rev:1;) ###Bogus for illustration 
purposes

I tired this and it is not alerting as expected.  It only seems to alert if I use an Inner SIP/DIP values.

Any thoughts on what I may be doing wrong and if its even possible for a Snort rule to check an Outer SIP/DIP value?

Thank you,
Jim-

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!