Best way to change and apply multiple rules for a certain criteria

["Rochon, Jason" <jcrochon () uic edu>]

Hello,

I'm looking for a way to change all my rules that have "PCAnywhere" going outside, to only detect going inside.

Example:
alert tcp $HOME_NET 5631:5632 -> $EXTERNAL_NET any (msg:"PUA-OTHER PCAnywhere Failed Login"; 
flow:to_server,established; content:"Invalid login"; depth:16; metadata:ruleset community; classtype:unsuccessful-user; 
sid:512; rev:9;)

I would like to change the important parts to alert on attempts to my $HOME_NET only:
Direction change: $HOME_NET 5631:5632 <- $EXTERNAL_NET
Flow change: flow:to_client

Also, should I disable this rule, and recreate it in local.rules, or just editing would suffice?
I forgot if the order of included rules matter. Would I need to put edited rules at the top?
Example, change this:
include my_custom_rules.rules
include rules_to_be_edited.rules

To this:
include rules_to_be_edited.rules
include my_custom_rules.rules

Are the rules overwritten, so that all custom rules should be last at the bottom of snort.conf?

Thank you and Best Regards,

Jason C. Rochon

------------------------------------------------------------------------------
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!