Direction Operators

The direction operator of a header indicates the direction of the traffic that the rule should apply to. There are two valid direction operators:

  • ->
  • <>

The -> operator is the most common, and it denotes that the IP addresses and port numbers on the left side represent the source and the IP addresses and port numbers on the right side represent the destination.

The <> operation is the bidirectional operator, and it tells Snort to consider the two IP address and port pairs as either the source or destination.

The direction operator is placed after the first ports declaration in the header.

Examples:

alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (
log tcp !192.168.1.0/24 any <> 192.168.1.0/24 23 (