The direction operator -
indicates the orientation, or direction, of the
traffic that the rule applies to. The IP address and port numbers on the left
side of the direction operator is considered to be the traffic coming from the
source host, and the address and port information on the right side of the
operator is the destination host. There is also a bidirectional operator, which
is indicated with a 
symbol. This tells Snort to consider the address/port
pairs in either the source or destination orientation. This is handy for
recording/analyzing both sides of a conversation, such as telnet or POP3
sessions. An example of the bidirectional operator being used to record both
sides of a telnet session is shown in Figure 3.6.
Also, note that there is no 
- operator. In Snort versions before 1.8.7, the
direction operator did not have proper error checking and many people used an
invalid token. The reason the - does not exist is so that rules always read
consistently.
