Can anyone tell me what changed with this sig in V6? Our old filter no longer work. It appears the normal source and destination IP addresses have been swapped but that particular setting on the sig has not changed AFAICT (it was and is set to swap-attacker-victim). The source is the Internet and high ports, the destination is our DMZ and port 443. So, I think this is reply traffic. Conceptually, why would you swap the source/destination for a high port sweep anyway?