detect/config: add flow tracking doc

pull/13410/head
Victor Julien 1 month ago committed by Victor Julien
parent 00336c45f4
commit f2faba5a23

@ -12,6 +12,12 @@ This example will detect if a DNS query contains the string `suricata` and if
so disable the DNS transaction logging. This means that `eve.json` records, so disable the DNS transaction logging. This means that `eve.json` records,
but also Lua output, will not be generated/triggered for this DNS transaction. but also Lua output, will not be generated/triggered for this DNS transaction.
Example::
config tcp:pre_flow any any <> any 666 (config: tracking disable, type flow, scope packet; sid:1;)
This example skips flow tracking for any packet from or to tcp port 666.
Keyword Keyword
------- -------
@ -24,14 +30,17 @@ Syntax::
`subsys` can be set to: `subsys` can be set to:
* `logging` setting affects logging. * `logging` setting affects logging.
* `tracking` setting affects tracking.
`type` can be set to: `type` can be set to:
* `tx` sub type of the `subsys`. If `subsys` is set to `logging`, setting the `type` to `tx` means transaction logging is affected. * `tx` sub type of the `subsys`. If `subsys` is set to `logging`, setting the `type` to `tx` means transaction logging is affected.
* `flow` sub type of the `subsys`. If `subsys` is set to `flow`, setting the `type` to `flow` means flow tracking is disabled.
`scope` can be set to: `scope` can be set to:
* `tx` setting affects the matching transaction. * `tx` setting affects the matching transaction.
* `packet` setting affects the matching packet.
The `action` in `<subsys>` is currently limited to `disable`. The `action` in `<subsys>` is currently limited to `disable`.

Loading…
Cancel
Save