diff --git a/doc/userguide/rules/flow-keywords.rst b/doc/userguide/rules/flow-keywords.rst index 00801352303e..358c110496fe 100644 --- a/doc/userguide/rules/flow-keywords.rst +++ b/doc/userguide/rules/flow-keywords.rst @@ -318,90 +318,55 @@ Signature example:: In this example, we combine `flow.age` and `flowbits` to get an alert on the first packet after the flow's age is older than one hour. -flow.pkts_toclient ------------------- +flow.pkts +--------- -Flow number of packets to client (integer) +Flow number of packets (integer) This keyword does not wait for the end of the flow, but will be checked at each packet. -flow.pkts_toclient uses an :ref:`unsigned 32-bit integer `. +flow.pkts uses an :ref:`unsigned 32-bit integer ` and supports +following directions: -Syntax:: - - flow.pkts_toclient: [op] - -The number of packets can be matched exactly, or compared using the _op_ setting:: - - flow.pkts_toclient:3 # exactly 3 - flow.pkts_toclient:<3 # smaller than 3 - flow.pkts_toclient:>=2 # greater than or equal to 2 - -Signature example:: - - alert ip any any -> any any (msg:"Flow has 20 packets"; flow.pkts_toclient:20; sid:1;) - -flow.pkts_toserver ------------------- +* toclient -Flow number of packets to server (integer) -This keyword does not wait for the end of the flow, but will be checked at each packet. - -flow.pkts_toserver uses an :ref:`unsigned 32-bit integer `. +* toserver Syntax:: - flow.pkts_toserver: [op] + flow.pkts:,[op] The number of packets can be matched exactly, or compared using the _op_ setting:: - flow.pkts_toserver:3 # exactly 3 - flow.pkts_toserver:<3 # smaller than 3 - flow.pkts_toserver:>=2 # greater than or equal to 2 + flow.pkts:toclient,3 # exactly 3 + flow.pkts:toserver,<3 # smaller than 3 Signature example:: - alert ip any any -> any any (msg:"Flow has 20 packets"; flow.pkts_toserver:20; sid:1;) - -flow.bytes_toclient -------------------- + alert ip any any -> any any (msg:"Flow has 20 packets in toclient dir"; flow.pkts:toclient,20; sid:1;) -Flow number of bytes to client (integer) -This keyword does not wait for the end of the flow, but will be checked at each packet. - -flow.bytes_toclient uses an :ref:`unsigned 64-bit integer `. - -Syntax:: - - flow.bytes_toclient: [op] - -The number of packets can be matched exactly, or compared using the _op_ setting:: - - flow.bytes_toclient:3 # exactly 3 - flow.bytes_toclient:<3 # smaller than 3 - flow.bytes_toclient:>=2 # greater than or equal to 2 -Signature example:: +flow.bytes +---------- - alert ip any any -> any any (msg:"Flow has less than 2000 bytes"; flow.bytes_toclient:<2000; sid:1;) +Flow number of bytes (integer) +This keyword does not wait for the end of the flow, but will be checked at each packet. -flow.bytes_toserver -------------------- +flow.bytes uses an :ref:`unsigned 64-bit integer ` and supports +following directions: -Flow number of bytes to server (integer) -This keyword does not wait for the end of the flow, but will be checked at each packet. +* toclient -flow.bytes_toserver uses an :ref:`unsigned 64-bit integer `. +* toserver Syntax:: - flow.bytes_toserver: [op] + flow.bytes:,[op] -The number of packets can be matched exactly, or compared using the _op_ setting:: +The number of bytes can be matched exactly, or compared using the _op_ setting:: - flow.bytes_toserver:3 # exactly 3 - flow.bytes_toserver:<3 # smaller than 3 - flow.bytes_toserver:>=2 # greater than or equal to 2 + flow.bytes:toclient,3 # exactly 3 + flow.bytes:toserver,<3 # smaller than 3 Signature example:: - alert ip any any -> any any (msg:"Flow has less than 2000 bytes"; flow.bytes_toserver:<2000; sid:1;) + alert ip any any -> any any (msg:"Flow has less than 2000 bytes in toserver dir"; flow.bytes:toserver,<2000; sid:1;)