Snort / Suricata rules from HOME_NET with rule option flow:to_client
Reading through Suricata/Snort IDS rules, I can see examples such as below, and scratching my head to understand how is it feasible that a connection from home_network to external_network can have a flow direction to_client? I thought:
- home_network to external_network always have
(flow:to_server): e.g. my browser sends traffic to "google.com" - external_network to home_network always have
(flow:to_client): e.g. the Google server responds to my browser
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR ghost 2.3 runtime detection";
flow:to_client,established;
content:"ver|3A|Ghost version ";
depth:18; nocase;
content:"server";
distance:0; nocase; pcre:"/^ver\x3aGhost\s+version\s+\d+\x2E\d+\s+server/smi";
metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop;
reference:url,www.megasecurity.org/trojans/g/ghost/Ghost2.3.html;
reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=42053;
classtype:trojan-activity;
sid:7115;
rev:6;)
