From 246acc714071c96f81028b55dcedd753479dbcb6 Mon Sep 17 00:00:00 2001 From: Juliana Fajardini Date: Mon, 29 Jul 2024 16:55:30 -0300 Subject: [PATCH] userguide: clarify flow:stateless explanation While not incorrect, the previous wording made the sentence almost paradoxical. While at it, also highlight a side effect that might not be so clear to users. Related to Bug #6976 --- doc/userguide/rules/flow-keywords.rst | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/doc/userguide/rules/flow-keywords.rst b/doc/userguide/rules/flow-keywords.rst index fff833a8ba..0080135230 100644 --- a/doc/userguide/rules/flow-keywords.rst +++ b/doc/userguide/rules/flow-keywords.rst @@ -90,7 +90,8 @@ established not_established Match on packets that are not part of an established connection. stateless - Match on packets that are and are not part of an established connection. + Match on packets that are part of a flow, regardless of connection state. + (This means that packets that are not seen as part of a flow won't match). only_stream Match on packets that have been reassembled by the stream engine. no_stream @@ -403,4 +404,4 @@ The number of packets can be matched exactly, or compared using the _op_ setting Signature example:: - alert ip any any -> any any (msg:"Flow has less than 2000 bytes"; flow.bytes_toserver:<2000; sid:1;) \ No newline at end of file + alert ip any any -> any any (msg:"Flow has less than 2000 bytes"; flow.bytes_toserver:<2000; sid:1;)