Flow Keywords
flowbits
flowbits consists of an action and the flowbits name.
Flowbits can perform the following actions:
Action |
Description |
|---|---|
flowbits: set, name |
Will set the condition ‘name’ in the flow, if present. |
flowbits: isset, name |
The rule generates an alert when it matches and the condition is set in the flow. |
flowbits: toggle, name |
not supported |
flowbits: unset, name |
Unsets the condition in the flow. |
flowbits: isnotset, name |
The rule generates an alert when it matches and the condition is not set in the flow. |
flowbits: noalert |
No alert will be generated by this rule. |
flow
The flow keyword can be used to match on characteristics of a flow, such as its
direction and if its connection is established or stateless.
The flow keyword can have the following options:
Option |
Description |
|---|---|
to_client |
Match on packets from server to client. |
to_server |
Match on packets from client to server. |
from_client |
Match on packets from client to server (same as to_server). |
from_server |
Match on packets from server to client (same as to_client). |
established |
Match on established connections. |
not_established |
not supported |
stateless |
Match on packets that are and are not part of an established connection. |
only_stream |
not supported |
no_stream |
not supported |
only_frag |
not supported |
no_frag |
not supported |
Multiple flow options can be combined, for example:
flow:to_client, established
flow:stateless