Flow Keywords

flowbits

flowbits consists of an action and the flowbits name.

Flowbits can perform the following actions:

Action

Description

flowbits: set, name

Will set the condition ‘name’ in the flow, if present.

flowbits: isset, name

The rule generates an alert when it matches and the condition is set in the flow.

flowbits: toggle, name

not supported

flowbits: unset, name

Unsets the condition in the flow.

flowbits: isnotset, name

The rule generates an alert when it matches and the condition is not set in the flow.

flowbits: noalert

No alert will be generated by this rule.

flow

The flow keyword can be used to match on charateristics of a flow, such as its direction and if it is connection is established or stateless.

The flow keyword can have the following options:

Option

Description

to_client

Match on packets from server to client.

to_server

Match on packets from client to server.

from_client

Match on packets from client to server (same as to_server).

from_server

Match on packets from server to client (same as to_client).

established

Match on established connections.

not_established

not supported

stateless

Match on packets that are and are not part of an established connection.

only_stream

not supported

no_stream

not supported

only_frag

not supported

no_frag

not supported

Multiple flow options can be combined, for example:

flow:to_client, established
flow:stateless