Snort rule help

[Control Sec via Snort-sigs <snort-sigs () lists snort org>]

Hello,

Requesting some snort rule help.  I have 2 machines. Each are both servers to each other and other common clients.  
Unfortunately, because they are servers for each other for the same application they call each other on the same 
listing port. 
 
Ex. (port # changed for privacy)
In some sessions, Server 1 requests data from Server 2 on the listening port 1234
In other sessions, Server 2 requests data from Server 2 on the listening port 1234
Both have clients on the network that request data on the listening port 1234, as well.
 
I am trying to write a rule that says “if server1, server2 are talking to anyone not on port 1234 alert.  Problem is 
because the two servers talk to each other on that port, they are firing because of the ephemeral port in the session.  
Here is a copy of the rule.
 
alert tcp [$SERVERS] any -> [$SERVERS] !1234 (msg:"SERVER talking to each other on unexpected port"; flow:to_server; 
threshold:type limit, track by_src, count 1, seconds 3600; sid:xxxxxxxx;rev:1)
 
Where $SERVERS are in snort.conf and includes server1 & server2
 
I thought that “flow:to_server” would cover me, but no luck. Any thoughts?
 
Thanks



Sent from my iPhone
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!