In this example, we combine `flow.age` and `flowbits` to get an alert on the first packet after the flow's age is older than one hour.
-flow.pkts_toclient
-------------------
+flow.pkts
+---------
-Flow number of packets to client (integer)
+Flow number of packets (integer)
This keyword does not wait for the end of the flow, but will be checked at each packet.
-flow.pkts_toclient uses an :ref:`unsigned 32-bit integer <rules-integer-keywords>`.
+flow.pkts uses an :ref:`unsigned 32-bit integer <rules-integer-keywords>` and supports
+following directions:
-Syntax::
-
- flow.pkts_toclient: [op]<number>
-
-The number of packets can be matched exactly, or compared using the _op_ setting::
-
- flow.pkts_toclient:3 # exactly 3
- flow.pkts_toclient:<3 # smaller than 3
- flow.pkts_toclient:>=2 # greater than or equal to 2
-
-Signature example::
+* toclient
- alert ip any any -> any any (msg:"Flow has 20 packets"; flow.pkts_toclient:20; sid:1;)
-
-flow.pkts_toserver
-------------------
-
-Flow number of packets to server (integer)
-This keyword does not wait for the end of the flow, but will be checked at each packet.
-
-flow.pkts_toserver uses an :ref:`unsigned 32-bit integer <rules-integer-keywords>`.
+* toserver
Syntax::
- flow.pkts_toserver: [op]<number>
+ flow.pkts:<direction>,[op]<number>
The number of packets can be matched exactly, or compared using the _op_ setting::
- flow.pkts_toserver:3 # exactly 3
- flow.pkts_toserver:<3 # smaller than 3
- flow.pkts_toserver:>=2 # greater than or equal to 2
+ flow.pkts:toclient,3 # exactly 3
+ flow.pkts:toserver,<3 # smaller than 3
Signature example::
- alert ip any any -> any any (msg:"Flow has 20 packets"; flow.pkts_toserver:20; sid:1;)
-
-flow.bytes_toclient
--------------------
+ alert ip any any -> any any (msg:"Flow has 20 packets in toclient dir"; flow.pkts:toclient,20; sid:1;)
-Flow number of bytes to client (integer)
-This keyword does not wait for the end of the flow, but will be checked at each packet.
+.. note:: Suricata also supports ``flow.pkts_toclient`` and ``flow.pkts_toserver``
+ keywords for ``flow.pkts:toclient`` and ``flow.pkts:toserver`` respectively but
+ that is not the preferred syntax.
-flow.bytes_toclient uses an :ref:`unsigned 64-bit integer <rules-integer-keywords>`.
+flow.bytes
+----------
-Syntax::
-
- flow.bytes_toclient: [op]<number>
-
-The number of packets can be matched exactly, or compared using the _op_ setting::
-
- flow.bytes_toclient:3 # exactly 3
- flow.bytes_toclient:<3 # smaller than 3
- flow.bytes_toclient:>=2 # greater than or equal to 2
-
-Signature example::
-
- alert ip any any -> any any (msg:"Flow has less than 2000 bytes"; flow.bytes_toclient:<2000; sid:1;)
+Flow number of bytes (integer)
+This keyword does not wait for the end of the flow, but will be checked at each packet.
-flow.bytes_toserver
--------------------
+flow.bytes uses an :ref:`unsigned 64-bit integer <rules-integer-keywords>` and supports
+following directions:
-Flow number of bytes to server (integer)
-This keyword does not wait for the end of the flow, but will be checked at each packet.
+* toclient
-flow.bytes_toserver uses an :ref:`unsigned 64-bit integer <rules-integer-keywords>`.
+* toserver
Syntax::
- flow.bytes_toserver: [op]<number>
+ flow.bytes:<direction>,[op]<number>
-The number of packets can be matched exactly, or compared using the _op_ setting::
+The number of bytes can be matched exactly, or compared using the _op_ setting::
- flow.bytes_toserver:3 # exactly 3
- flow.bytes_toserver:<3 # smaller than 3
- flow.bytes_toserver:>=2 # greater than or equal to 2
+ flow.bytes:toclient,3 # exactly 3
+ flow.bytes:toserver,<3 # smaller than 3
Signature example::
- alert ip any any -> any any (msg:"Flow has less than 2000 bytes"; flow.bytes_toserver:<2000; sid:1;)
+ alert ip any any -> any any (msg:"Flow has less than 2000 bytes in toserver dir"; flow.bytes:toserver,<2000; sid:1;)
+
+.. note:: Suricata also supports ``flow.bytes_toclient`` and ``flow.bytes_toserver``
+ keywords for ``flow.bytes:toclient`` and ``flow.bytes:toserver`` respectively but
+ that is not the preferred syntax.