userguide: clarify flow:stateless explanation

While not incorrect, the previous wording made the sentence almost paradoxical. While at it, also highlight a side effect that might not be so clear to users. Related to Bug #6976
7 months ago · 246acc7140
parent ede77bc4db
commit 246acc7140
1 changed files with 3 additions and 2 deletions
--- a/doc/userguide/rules/flow-keywords.rst
+++ b/doc/userguide/rules/flow-keywords.rst
@ -90,7 +90,8 @@ established
 not_established
  Match on packets that are not part of an established connection.
 stateless
-  Match on packets that are and are not part of an established connection.
+  Match on packets that are part of a flow, regardless of connection state.
+  (This means that packets that are not seen as part of a flow won't match).
 only_stream
  Match on packets that have been reassembled by the stream engine.
 no_stream
@ -403,4 +404,4 @@ The number of packets can be matched exactly, or compared using the _op_ setting

 Signature example::

- alert ip any any -> any any (msg:"Flow has less than 2000 bytes"; flow.bytes_toserver:<2000; sid:1;)
+ alert ip any any -> any any (msg:"Flow has less than 2000 bytes"; flow.bytes_toserver:<2000; sid:1;)