Suricata offers several ways of analyzing performance of rules and the
engine itself.
+.. _config:engine-analysis:
+
Engine-analysis
~~~~~~~~~~~~~~~
+.. _transactions:
+
************
Transactions
************
tag
vlan-keywords
ldap-keywords
+ rule-types
--- /dev/null
+.. role:: example-rule-action
+.. role:: example-rule-header
+.. role:: example-rule-options
+.. role:: example-rule-emphasis
+
+Rule Types and Categorization
+=============================
+
+Once parsed, Suricata rules are categorized for performance and further
+processing (as different rule types will be handled by specific engine modules).
+The signature types are defined in `src/detect.h
+<https://github.com/OISF/suricata/blob/master/src/detect.h>`_:
+
+.. literalinclude:: ../../../src/detect.h
+ :caption: src/detect.h
+ :language: c
+ :start-after: // rule types documentation tag start: SignatureType
+ :end-before: // rule types documentation tag end: SignatureType
+
+In more human readable terms:
+
+.. list-table:: Suricata Rule Types, and their Engine Analysis Term
+ :header-rows: 1
+
+ * - Rule Type
+ - Code Symbol
+ - Engine-Analysis Representation
+ * - Decoder Events Only
+ - ``SIG_TYPE_DEONLY``
+ - ``de_only``
+ * - Packet
+ - ``SIG_TYPE_PKT``
+ - ``pkt``
+ * - IP Only
+ - ``SIG_TYPE_IPONLY``
+ - ``ip_only``
+ * - IP Only (contains negated address(es))
+ - ``SIG_TYPE_LIKE_IPONLY``
+ - ``like_ip_only``
+ * - Protocol Detection Only
+ - ``SIG_TYPE_PDONLY``
+ - ``pd_only``
+ * - Packet-Stream
+ - ``SIG_TYPE_PKT_STREAM``
+ - ``pkt_stream``
+ * - Stream
+ - ``SIG_TYPE_STREAM``
+ - ``stream``
+ * - Application Layer Protocol
+ - ``SIG_TYPE_APPLAYER``
+ - ``app_layer``
+ * - Application Layer Protocol Transactions
+ - ``SIG_TYPE_APP_TX``
+ - ``app_tx``
+
+The rule type will impact:
+
+ - To what does the signature action apply, in case of a match (`Action Scope`)
+ - When is the rule matched against traffic (`Inspection Hook`)
+ - Against what the rule matches (`Data Exposed`)
+
+This categorization is done taking into consideration the presence or absence of
+certain rule elements, as well as the type of keywords used. The categorization
+currently takes place in `src/detect-engine-build.c:void SignatureSetType()
+<https://github.com/OISF/suricata/blob/master/src/detect-engine-build.c#L1642-L1704>`_.
+
+The ``SignatureSetType()`` overall flow is described below:
+
+.. image:: rule-types/OverallAlgoHorizontal.png
+ :align: center
+ :width: 600
+ :alt: A flowchart representing the SignatureSetType function.
+
+Flowcharts expanding uncovered functions or portions of the overall algorithm
+above are shown in the :ref:`detailed-flowcharts-sig-type` section.
+
+The following table lists all Suricata signature types, and how they impact the
+aspects aforementioned.
+
+.. list-table:: Suricata Rule Types
+ :widths: 10 17 22 29 26
+ :header-rows: 1
+
+ * - Type
+ - Action Scope
+ - Inspection Hook
+ - Data Exposed
+ - Keyword Examples
+
+ (non-exhaustive)
+ * - :ref:`Decoder Events Only <de-only-rule-type>`
+
+ (``de_only``)
+ - Packet
+ - Per-broken/ invalid packet
+ - Decoding events
+ - ``decode-event``
+ * - :ref:`Packet <pkt-rule-type>`
+
+ (``pkt``)
+ - Packet
+ - Per-packet basis
+ - Packet-level info (e.g.: header info)
+ - ``tcp-pkt``, ``itype``, ``tcp.hdr``, ``tcp.seq``, ``ttl`` etc.
+ * - :ref:`IP Only <ip-only-rule-type>`
+
+ (``ip_only``)
+ - Flow (if existing). Packets (if not part of a flow)
+ - Once per direction
+ - IP addresses on the flow
+ - Source/ Destination field of a rule
+ * - :ref:`IP Only (contains negated address) <like-ip-only-rule-type>` :sup:`2`
+
+ (``like_ip_only``)
+ - Flow
+ - All packets
+ - IP addresses on the flow
+ - Source/ Destination field of a rule containing negated address
+ * - :ref:`Protocol Detection Only <pd-only-rule-type>`
+
+ (``pd_only``)
+ - Flow
+ - Once per direction, when protocol detection is done
+ - Protocol detected for the flow
+ - ``app-layer-protocol``
+ * - :ref:`Packet-Stream <pkt-stream-rule-type>`
+
+ (``pkt_stream``)
+ - Flow, if stateful :sup:`1`
+ - Per stream chunk, if stateful, per-packet if not
+
+ (stream payload AND packet payload)
+ - The reassembled stream and/or payload data
+ - ``content`` with ``startswith`` or ``depth``
+ * - :ref:`Stream <stream-rule-type>`
+
+ (``stream``)
+ - Flow, if stateful :sup:`1`
+ - Stream chunks, if stateful, just packets if not
+ - Stream reassembled payload or packet payload data
+ - ``tcp-stream`` in protocol field; simple ``content``; ``byte_extract``
+ * - :ref:`Application Layer Protocol <app-layer-rule-type>`
+
+ (``app_layer``)
+ - Flow
+ - Per-packet basis
+ - 'protocol' field in a rule
+ - `Protocol field <https://suri-rtd-test.readthedocs.io/en/doc-sigtypes-et-properties-v5/rules/intro.html#protocol>`_ of a rule
+ * - :ref:`Application Layer Protocol Transactions <app-tx-rule-type>`
+
+ (``app_tx``)
+ - Flow
+ - Per :ref:`transaction <transactions>` update
+ - Buffer keywords
+ - Application layer protocol-related, e.g. ``http.host``, ``rfb.secresult``,
+ ``dcerpc.stub_data``, ``frame`` keywords
+
+.. note:: Action Scope: `Flow, if stateful`
+
+ (1) Apply to the flow. If a segment isn't accepted into a stream for any
+ reason (such as packet anomalies, errors, memcap reached etc), the rule will
+ be applied on a packet level.
+
+.. warning::
+
+ Although both are related to matching on application layer protocols, as the
+ table suggests, since Suricata 7 a Protocol Detection rule (that uses the
+ ``app-layer-protocol`` keyword) is not internally classified the same as a
+ rule simply matching on the application layer protocol on the ``protocol``
+ field.
+
+Signature Properties
+--------------------
+
+The `Action Scope` mentioned above relates to the Signature Properties, as seen in
+`src/detect-engine.c <https://github.com/OISF/suricata/blob/master/src/detect-engine.c>`_:
+
+.. literalinclude:: ../../../src/detect-engine.c
+ :caption: src/detect-engine.c
+ :language: c
+ :start-after: // rule types documentation tag start: SignatureProperties
+ :end-before: // rule types documentation tag end: SignatureProperties
+
+Signature: Require Real Packet
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Aside from the scope of action of a signature, certain rule conditions will
+require that it matches against a *real packet* (as opposed to a *pseudo packet*).
+These rules are flagged with ``SIG_MASK_REQUIRE_REAL_PKT`` by the engine, and
+will have ``real_pkt`` listed as one of the rule's ``requirements``. (See
+``engine-analysis`` example output for the :ref:`pkt-rule-type` rule type.)
+
+A *pseudo packet* is an internal resource used by the engine when a flow is over
+but there is still data to be processed, such as when there is a flow timeout.
+A fake packet is then injected in the flow to finish up processing before ending it.
+
+Those two types will be more documented soon (tracking
+`#7424 <https://redmine.openinfosecfoundation.org/issues/7424>`_).
+
+.. _variable-like-keywords-sig-type:
+
+Signature Types and Variable-like Keywords
+------------------------------------------
+
+Keywords such as flow variables (``flowint``, ``flowbits``), ``datasets``,
+and similar ones can alter the rule type, if present in a signature.
+
+That happens because the variable condition can change per packet. Thus, the
+Signature is categorized as a `packet` rule.
+
+This affects rule types:
+
+ - Application Layer (``app_layer``)
+ - Protocol Detection Only (``pd_only``)
+ - Decoder Events Only (``de_only``)
+ - IP Only (``ip_only``) :sup:`3`
+ - Like IP Only (``like_ip_only``) :sup:`3`
+
+The rule examples provided further cover some such cases, but the table below
+lists those keywords with more details:
+
+.. list-table:: Variable-like Keywords
+ :header-rows: 1
+
+ * - Keyword
+ - Keyword Option
+ - Rule Type change?
+ * - ``flow``
+ - ``to_server``, ``to_client``
+ - no type changes :sup:`3`
+ * - ``flow``
+ - ``established``, ``not_established``
+ - to `packet`
+ * - ``flowbits``, ``xbits``, ``hostbits``
+ - ``isset``, ``isnotset``
+ - to `packet`
+ * - ``flowbits``, ``xbits``, ``hostbits``
+ - ``set``, ``unset``, ``toggle``
+ - no type change
+ * - ``flowint``
+ - ``isset``, ``notset``, all operators
+ - to `packet`
+ * - ``flowint``
+ - defining the variable; unseting;
+ - no type change
+ * - ``iprep``
+ - ``isset``, ``notset``, all operators
+ - to `packet`
+
+.. note:: IP Only and Like IP Only
+
+ (3) Unlike the other affected types, signatures that would otherwise be
+ classified as ``ip_only`` or ``like_ip_only`` become Packet rules if the
+ ``flow`` keyword is used, regardless of option.
+
+.. note::
+
+ ``dataset``, while may look similar to the keywords above, doesn't pertain
+ to this list as it can only be used with sticky buffer keywords, thus being
+ only available to Application Layer Transaction rules (`app_tx`), which are
+ not affected by this.
+
+Flowbits: ``isset``
+^^^^^^^^^^^^^^^^^^^
+
+If a non-stateful rule (e.g. a ``pkt`` rule) checks if a flowbit is set (like in
+*flowbits:fb6,isset*) and the rule that sets that variable is a stateful one,
+such as an ``app_tx`` rule, the engine will set a flag to indicate that that
+rule is also stateful - without altering its signature type. This flag is
+currently ``SIG_FLAG_INIT_STATE_MATCH`` (cf. ticket `#7483
+<https://redmine.openinfosecfoundation.org/issues/7483>`_).
+
+There is a work-in-progress to add information about this to the ``engine-analysis``
+report (ticket `#7456 <https://redmine.openinfosecfoundation.org/issues/7456>`_).
+
+
+Signatures per Type
+-------------------
+
+This section offers brief descriptions for each rule type, and illustrates what
+signatures of each type may look like. It is possible to learn the type of a
+signature, as well as other important information, by running Suricata in
+:ref:`engine analysis <config:engine-analysis>` mode.
+
+For each rule type, there is also a sample of the Engine Analysis report
+for one or more of rule(s) shown.
+
+.. _de-only-rule-type:
+
+Decoder Events Only
+^^^^^^^^^^^^^^^^^^^
+
+Signatures the inspect broken or invalid packets. They expose Suricata decoding
+events.
+
+For more examples check https://github.com/OISF/suricata/blob/master/rules/decoder-events.rules.
+
+Example
+"""""""
+
+.. container:: example-rule
+
+ alert pkthdr any any -> any any (msg:"SURICATA IPv6 duplicated Hop-By-Hop Options extension header"; :example-rule-emphasis:`decode-event:ipv6.exthdr_dupl_hh;` classtype:protocol-command-decode; sid:1101;)
+
+.. container:: example-rule
+
+ drop pkthdr any any -> any any (msg:"SURICATA IPv4 invalid option length"; `:example-rule-emphasis:`decode-event:ipv4.opt_invalid_len;` classtype:protocol-command-decode; sid:2200005; rev:2;)
+
+Engine-Analysis Report
+""""""""""""""""""""""
+.. code-block:: json
+
+ {
+ "raw": "alert pkthdr any any -> any any (msg:\"SURICATA IPv6 duplicated Hop-By-Hop Options extension header\"; decode-event:ipv6.exthdr_dupl_hh; classtype:protocol-command-decode; sid:1101;)",
+ "id": 1101,
+ "gid": 1,
+ "rev": 0,
+ "msg": "SURICATA IPv6 duplicated Hop-By-Hop Options extension header",
+ "app_proto": "unknown",
+ "requirements": [
+ "engine_event"
+ ],
+ "type": "de_only",
+ "flags": [
+ "src_any",
+ "dst_any",
+ "sp_any",
+ "dp_any",
+ "toserver",
+ "toclient"
+ ],
+ "pkt_engines": [
+ {
+ "name": "packet",
+ "is_mpm": false
+ }
+ ],
+ "frame_engines": [],
+ "lists": {
+ "packet": {
+ "matches": [
+ {
+ "name": "decode-event"
+ }
+ ]
+ }
+ }
+ }
+
+
+.. _pkt-rule-type:
+
+Packet
+^^^^^^
+
+Rules that expose/ inspect information on a packet-level (for instance, the
+header). Certain flow keywords may also turn a rule into a ``pkt`` rule, if
+they require per-packet inspection (cf. :ref:`variable-like-keywords-sig-type`).
+
+Examples
+""""""""
+
+.. container:: example-rule
+
+ alert :example-rule-emphasis:`tcp-pkt` any any -> any any (msg:"tcp-pkt, anchored content"; :example-rule-emphasis:`content:"abc"; startswith;` sid:203;)
+
+.. container:: example-rule
+
+ alert tcp any any -> any any (msg:"ttl"; :example-rule-emphasis:`ttl:123;` sid:701;)
+
+.. container:: example-rule
+
+ alert udp any any -> any any (msg:"UDP with flow direction"; flow:to_server; sid:1001;)
+
+.. container:: example-rule
+
+ alert tcp any any -> any 443 (flow: to_server; flowbits:set,tls_error; sid:1604; msg:"Allow TLS error handling (outgoing packet) - non-stateful rule";)
+
+.. container:: example-rule
+
+ alert tcp-pkt any any -> any any (msg:"Flowbit isset"; :example-rule-emphasis:`flowbits:isset,fb6; flowbits:isset,fb7;` sid:1919;)
+
+Engine-Analysis Report
+""""""""""""""""""""""
+.. code-block:: json
+
+ {
+ "raw": "alert tcp-pkt any any -> any any (msg:\"tcp-pkt, anchored content\"; content:\"abc\"; startswith; sid:203;)",
+ "id": 203,
+ "gid": 1,
+ "rev": 0,
+ "msg": "tcp-pkt, anchored content",
+ "app_proto": "unknown",
+ "requirements": [
+ "payload",
+ "real_pkt"
+ ],
+ "type": "pkt",
+ "flags": [
+ "src_any",
+ "dst_any",
+ "sp_any",
+ "dp_any",
+ "need_packet",
+ "toserver",
+ "toclient",
+ "prefilter"
+ ],
+ "pkt_engines": [
+ {
+ "name": "payload",
+ "is_mpm": true
+ }
+ ],
+ "frame_engines": [],
+ "lists": {
+ "payload": {
+ "matches": [
+ {
+ "name": "content",
+ "content": {
+ "pattern": "abc",
+ "length": 3,
+ "nocase": false,
+ "negated": false,
+ "starts_with": true,
+ "ends_with": false,
+ "is_mpm": true,
+ "no_double_inspect": false,
+ "depth": 3,
+ "fast_pattern": false,
+ "relative_next": false
+ }
+ }
+ ]
+ }
+ },
+ "mpm": {
+ "buffer": "payload",
+ "pattern": "abc",
+ "length": 3,
+ "nocase": false,
+ "negated": false,
+ "starts_with": true,
+ "ends_with": false,
+ "is_mpm": true,
+ "no_double_inspect": false,
+ "depth": 3,
+ "fast_pattern": false,
+ "relative_next": false
+ }
+ }
+
+.. _ip-only-rule-type:
+
+IP Only
+^^^^^^^
+
+The IP ONLY rule type is used when rules match only on source and destination
+IP addresses, and not on any other flow or content modifier.
+
+Examples
+""""""""
+
+.. container:: example-rule
+
+ alert tcp-stream :example-rule-emphasis:`any` any -> :example-rule-emphasis:`any` any (msg:"tcp-stream, no content"; sid:101;)
+
+.. container:: example-rule
+
+ alert tcp-pkt :example-rule-emphasis:`[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]` any -> :example-rule-emphasis:`any` any (msg:"tcp-pkt, no content"; sid:201;)
+
+.. container:: example-rule
+
+ alert ip :example-rule-emphasis:`any` any -> :example-rule-emphasis:`any` any (:example-rule-emphasis:`hostbits:set,myflow2;` sid:1505;)
+
+.. container:: example-rule
+
+ alert udp :example-rule-emphasis:`any` any -> :example-rule-emphasis:`any` any (msg:"UDP with flow direction"; sid:1601;)
+
+
+Engine-Analysis Report
+""""""""""""""""""""""
+.. code-block:: json
+
+ {
+ "raw": "alert ip any any -> any any (hostbits:set,myflow2; sid:1505;)",
+ "id": 1505,
+ "gid": 1,
+ "rev": 0,
+ "app_proto": "unknown",
+ "requirements": [],
+ "type": "ip_only",
+ "flags": [
+ "src_any",
+ "dst_any",
+ "sp_any",
+ "dp_any",
+ "toserver",
+ "toclient"
+ ],
+ "pkt_engines": [],
+ "frame_engines": [],
+ "lists": {
+ "postmatch": {
+ "matches": [
+ {
+ "name": "hostbits"
+ }
+ ]
+ }
+ }
+ }
+
+.. _like-ip-only-rule-type:
+
+IP Only (contains negated address)
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+A rule that inspects IP only properties, but contains negated IP addresses.
+
+IP Only signatures with negated addresses are `like` IP-only signatures, but
+currently handled differently due to limitations of the algorithm processing
+IP Only rules. Impactful differences from a user-perspective are listed on the
+Signature Types table.
+
+Examples
+""""""""
+
+.. container:: example-rule
+
+ alert tcp 192.168.0.0/16,10.0.0.0/8,172.16.0.0/12 any -> :example-rule-emphasis:`![192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]` any (msg:"tcp, has negated IP address"; sid:304;)
+
+.. container:: example-rule
+
+ alert tcp :example-rule-emphasis:`[10.0.0.0/8,!10.10.10.10]` any -> :example-rule-emphasis:`[10.0.0.0/8,!10.10.10.10]` any (msg:"tcp, has negated IP address"; sid:305;)
+
+
+Engine-Analysis Report
+""""""""""""""""""""""
+.. code-block:: json
+
+ {
+ "raw": "alert tcp [10.0.0.0/8,!10.10.10.10] any -> [10.0.0.0/8,!10.10.10.10] any (msg:\"tcp, has negated IP address\"; sid:305;)",
+ "id": 305,
+ "gid": 1,
+ "rev": 0,
+ "msg": "tcp, has negated IP address",
+ "app_proto": "unknown",
+ "requirements": [],
+ "type": "like_ip_only",
+ "flags": [
+ "sp_any",
+ "dp_any",
+ "toserver",
+ "toclient"
+ ],
+ "pkt_engines": [],
+ "frame_engines": [],
+ "lists": {}
+ }
+
+.. _pd-only-rule-type:
+
+Protocol Detection Only
+^^^^^^^^^^^^^^^^^^^^^^^
+
+When a signature checks for the application layer protocol but there is no need
+for a per-packet inspection, protocol detection can be done with the
+``app-layer-protocol`` keyword. Check the `keyword documentation
+<https://docs.suricata.io/en/latest/rules/app-layer.html#app-layer-protocol>`_
+full for usage.
+
+See :ref:`Protocol Detection Only <flowchart-pd-only-sig-type>` for a flowchart
+representing how the type is defined.
+
+See :ref:`app-layer-rule-type` for a packet-based inspection.
+
+.. warning::
+
+ Since Suricata 7, a Protocol Detection rule (that uses the
+ ``app-layer-protocol`` keyword) is not internally classified the same as a
+ rule simply matching on the application layer protocol on the ``protocol``
+ field.
+
+Examples
+""""""""
+
+.. container:: example-rule
+
+ alert tcp any any -> any any (msg:"tcp, pd negated"; :example-rule-emphasis:`app-layer-protocol:!http;` sid:401;)
+
+.. container:: example-rule
+
+ alert tcp any any -> any any (msg:"tcp, pd positive"; :example-rule-emphasis:`app-layer-protocol:http;` sid:402;)
+
+.. container:: example-rule
+
+ alert tcp any any -> any any (msg:"tcp, pd positive dns"; :example-rule-emphasis:`app-layer-protocol:dns;` sid:403;)
+
+.. container:: example-rule
+
+ alert tcp any any -> any any (msg:"tcp, pd positive, dns, flow:to_server"; :example-rule-emphasis:`app-layer-protocol:dns;` flow:to_server; sid:405;)
+
+Engine-Analysis Report
+""""""""""""""""""""""
+.. code-block:: json
+
+ {
+ "raw": "alert tcp any any -> any any (msg:\"tcp, pd positive dns\"; app-layer-protocol:dns; sid:403;)",
+ "id": 403,
+ "gid": 1,
+ "rev": 0,
+ "msg": "tcp, pd positive dns",
+ "app_proto": "unknown",
+ "requirements": [],
+ "type": "pd_only",
+ "flags": [
+ "src_any",
+ "dst_any",
+ "sp_any",
+ "dp_any",
+ "toserver",
+ "toclient"
+ ],
+ "pkt_engines": [
+ {
+ "name": "packet",
+ "is_mpm": false
+ }
+ ],
+ "frame_engines": [],
+ "lists": {
+ "packet": {
+ "matches": [
+ {
+ "name": "app-layer-protocol"
+ }
+ ]
+ }
+ }
+ }
+
+.. _pkt-stream-rule-type:
+
+Packet-Stream
+^^^^^^^^^^^^^
+
+A rule is categorized as such when it inspects on traffic in specific portions
+of the packet payload, using ``content`` buffer with the ``startswith`` or
+``depth`` keywords.
+
+Examples
+""""""""
+
+.. container:: example-rule
+
+ alert tcp any any -> any any (msg:"tcp, anchored content"; :example-rule-emphasis:`content:"abc"; startswith;` sid:303;)
+
+.. container:: example-rule
+
+ alert http any any -> any any (msg:"http, anchored content"; :example-rule-emphasis:`content:"abc"; depth:30;` sid:603;)
+
+Engine-Analysis Report
+""""""""""""""""""""""
+.. code-block:: json
+
+ {
+ "raw": "alert http any any -> any any (msg:\"http, anchored content\"; content:\"abc\"; depth:30; sid:603;)",
+ "id": 603,
+ "gid": 1,
+ "rev": 0,
+ "msg": "http, anchored content",
+ "app_proto": "http_any",
+ "requirements": [
+ "payload",
+ "flow"
+ ],
+ "type": "pkt_stream",
+ "flags": [
+ "src_any",
+ "dst_any",
+ "sp_any",
+ "dp_any",
+ "applayer",
+ "need_packet",
+ "need_stream",
+ "toserver",
+ "toclient",
+ "prefilter"
+ ],
+ "pkt_engines": [
+ {
+ "name": "payload",
+ "is_mpm": true
+ }
+ ],
+ "frame_engines": [],
+ "lists": {
+ "payload": {
+ "matches": [
+ {
+ "name": "content",
+ "content": {
+ "pattern": "abc",
+ "length": 3,
+ "nocase": false,
+ "negated": false,
+ "starts_with": false,
+ "ends_with": false,
+ "is_mpm": true,
+ "no_double_inspect": false,
+ "depth": 30,
+ "fast_pattern": false,
+ "relative_next": false
+ }
+ }
+ ]
+ }
+ },
+ "mpm": {
+ "buffer": "payload",
+ "pattern": "abc",
+ "length": 3,
+ "nocase": false,
+ "negated": false,
+ "starts_with": false,
+ "ends_with": false,
+ "is_mpm": true,
+ "no_double_inspect": false,
+ "depth": 30,
+ "fast_pattern": false,
+ "relative_next": false
+ }
+ }
+
+.. _stream-rule-type:
+
+Stream
+^^^^^^
+
+A rule that matches payload traffic without regards to its position, that is,
+on an unanchored ``content`` buffer, uses byte extraction or matches on
+``tcp-stream`` is classified a stream rule.
+
+Examples
+""""""""
+
+.. container:: example-rule
+
+ alert :example-rule-emphasis:`tcp-stream` any any -> any any (msg:"tcp-stream, simple content"; :example-rule-emphasis:`content:"abc";` sid:102;)
+
+.. container:: example-rule
+
+ alert :example-rule-emphasis:`http` any any -> any any (msg:"http, simple content"; :example-rule-emphasis:`content:"abc";` sid:602;)
+
+.. container:: example-rule
+
+ alert tcp any any -> any 443 (:example-rule-emphasis:`flow: to_server; content:"abc";` flowbits:set,tls_error; sid:1605; msg:"Allow TLS error handling (outgoing packet) with simple content - Stream rule";)
+
+.. container:: example-rule
+
+ alert tcp any any -> any 443 (:example-rule-emphasis:`flow: to_server; content:"abc";` sid:160401; msg:"Allow TLS error handling (outgoing packet) - stream rule";)
+
+.. container:: example-rule
+
+ alert tcp any any -> any 443 (:example-rule-emphasis:`content:"abc";` sid:160402; msg:"Allow TLS error handling (outgoing packet) - stream rule";)
+
+.. container:: example-rule
+
+ alert :example-rule-emphasis:`tcp` any any -> any any (msg:"byte_extract with dce"; :example-rule-emphasis:`byte_extract:4,0,var,dce; byte_test:4,>,var,4,little;` sid:901;)
+
+Engine-Analysis Report
+""""""""""""""""""""""
+.. code-block:: json
+
+ {
+ "raw": "alert tcp any any -> any any (msg:\"byte_extract with dce\"; byte_extract:4,0,var,dce; byte_test:4,>,var,4,little; sid:901;)",
+ "id": 901,
+ "gid": 1,
+ "rev": 0,
+ "msg": "byte_extract with dce",
+ "app_proto": "dcerpc",
+ "requirements": [
+ "payload",
+ "flow"
+ ],
+ "type": "stream",
+ "flags": [
+ "src_any",
+ "dst_any",
+ "sp_any",
+ "dp_any",
+ "applayer",
+ "need_stream",
+ "toserver",
+ "toclient"
+ ],
+ "pkt_engines": [
+ {
+ "name": "payload",
+ "is_mpm": false
+ }
+ ],
+ "frame_engines": [],
+ "lists": {
+ "payload": {
+ "matches": [
+ {
+ "name": "byte_extract"
+ },
+ {
+ "name": "byte_test",
+ "byte_test": {
+ "nbytes": 4,
+ "offset": 4,
+ "base": "unset",
+ "flags": [
+ "little_endian"
+ ]
+ }
+ }
+ ]
+ }
+ }
+ }
+
+.. _app-layer-rule-type:
+
+Application Layer Protocol
+^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+For a packet-based inspection of the application layer protocol, a rule should
+use the `protocol <https://suri-rtd-test.readthedocs.io/en/doc-sigtypes-et-properties-v5/rules/intro.html#protocol>`_ field for the matches.
+
+.. warning::
+
+ Since Suricata 7, a simple rule matching traffic on the ``protocol`` field
+ is not internally classified the same as a rule using the ``app-layer-protocol``
+ keyword).
+
+.. warning::
+
+ As per Suricata 7, if ``flow:established`` or ``flow:not_established`` is added
+ to a base Application Layer Protocol rule, that signature will become a
+ :ref:`pkt-rule-type` rule.
+
+Examples
+""""""""
+
+.. container:: example-rule
+
+ alert :example-rule-emphasis:`dns` any any -> any any (msg:"app-layer, dns"; sid:404;)
+
+.. container:: example-rule
+
+ alert :example-rule-emphasis:`http` any any -> any any (msg:"http, no content"; sid:601;)
+
+.. container:: example-rule
+
+ alert :example-rule-emphasis:`tls` any any -> any any (msg:"tls, pkt or app-layer?"; flowint:tls_error_int,=,0; sid:613;)
+
+
+Engine-Analysis Report
+""""""""""""""""""""""
+.. code-block:: json
+
+ {
+ "raw": "alert dns any any -> any any (msg:\"app-layer, dns\"; sid:404;)",
+ "id": 404,
+ "gid": 1,
+ "rev": 0,
+ "msg": "app-layer, dns",
+ "app_proto": "dns",
+ "requirements": [
+ "flow"
+ ],
+ "type": "app_layer",
+ "flags": [
+ "src_any",
+ "dst_any",
+ "sp_any",
+ "dp_any",
+ "applayer",
+ "toserver",
+ "toclient"
+ ],
+ "pkt_engines": [],
+ "frame_engines": [],
+ "lists": {}
+ }
+
+.. _app-tx-rule-type:
+
+Application Layer Protocol Transactions
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Rules inspecting traffic using keywords related to application layer protocols
+are classified with this signature type. This also includes `frame` keywords.
+
+Examples
+""""""""
+
+.. container:: example-rule
+
+ alert tcp any any -> any any (msg:"http, pos event"; :example-rule-emphasis:`app-layer-event:http.file_name_too_long;` sid:501;)
+
+.. container:: example-rule
+
+ alert http any any -> any any (msg:"Test"; flow:established,to_server; :example-rule-emphasis:`http.method; content:"GET"; http.uri; content:".exe";` endswith; :example-rule-emphasis:`http.host; content:!".google.com";` endswith; sid:1102;)
+
+.. container:: example-rule
+
+ alert udp any any -> any any (msg:"DNS UDP Frame"; flow:to_server; :example-rule-emphasis:`frame:dns.pdu;` content:"\|01 20 00 01\|"; offset:2; content:"suricata"; offset:13; sid:1402; rev:1;)
+
+.. container:: example-rule
+
+ alert tcp any any -> any any (msg:"byte_extract with dce"; :example-rule-emphasis:`dcerpc.stub_data;` content:"abc"; byte_extract:4,0,var,relative; byte_test:4,>,var,4,little; sid:902;)
+
+Engine-Analysis Report
+""""""""""""""""""""""
+.. code-block:: json
+
+ {
+ "raw": "alert tcp any any -> any any (msg:\"byte_extract with dce\"; dcerpc.stub_data; content:\"abc\"; byte_extract:4,0,var,relative; byte_test:4,>,var,4,little; sid:902;)",
+ "id": 902,
+ "gid": 1,
+ "rev": 0,
+ "msg": "byte_extract with dce",
+ "app_proto": "dcerpc",
+ "requirements": [
+ "flow"
+ ],
+ "type": "app_tx",
+ "flags": [
+ "src_any",
+ "dst_any",
+ "sp_any",
+ "dp_any",
+ "applayer",
+ "toserver",
+ "toclient",
+ "prefilter"
+ ],
+ "pkt_engines": [],
+ "frame_engines": [],
+ "engines": [
+ {
+ "name": "dce_stub_data",
+ "direction": "toclient",
+ "is_mpm": true,
+ "app_proto": "dcerpc",
+ "progress": 0,
+ "matches": [
+ {
+ "name": "content",
+ "content": {
+ "pattern": "abc",
+ "length": 3,
+ "nocase": false,
+ "negated": false,
+ "starts_with": false,
+ "ends_with": false,
+ "is_mpm": true,
+ "no_double_inspect": false,
+ "fast_pattern": false,
+ "relative_next": true
+ }
+ },
+ {
+ "name": "byte_extract"
+ },
+ {
+ "name": "byte_test",
+ "byte_test": {
+ "nbytes": 4,
+ "offset": 4,
+ "base": "unset",
+ "flags": [
+ "little_endian"
+ ]
+ }
+ }
+ ]
+ },
+ {
+ "name": "dce_stub_data",
+ "direction": "toserver",
+ "is_mpm": true,
+ "app_proto": "dcerpc",
+ "progress": 0,
+ "matches": [
+ {
+ "name": "content",
+ "content": {
+ "pattern": "abc",
+ "length": 3,
+ "nocase": false,
+ "negated": false,
+ "starts_with": false,
+ "ends_with": false,
+ "is_mpm": true,
+ "no_double_inspect": false,
+ "fast_pattern": false,
+ "relative_next": true
+ }
+ },
+ {
+ "name": "byte_extract"
+ },
+ {
+ "name": "byte_test",
+ "byte_test": {
+ "nbytes": 4,
+ "offset": 4,
+ "base": "unset",
+ "flags": [
+ "little_endian"
+ ]
+ }
+ }
+ ]
+ },
+ {
+ "name": "dce_stub_data",
+ "direction": "toclient",
+ "is_mpm": true,
+ "app_proto": "smb",
+ "progress": 0,
+ "matches": [
+ {
+ "name": "content",
+ "content": {
+ "pattern": "abc",
+ "length": 3,
+ "nocase": false,
+ "negated": false,
+ "starts_with": false,
+ "ends_with": false,
+ "is_mpm": true,
+ "no_double_inspect": false,
+ "fast_pattern": false,
+ "relative_next": true
+ }
+ },
+ {
+ "name": "byte_extract"
+ },
+ {
+ "name": "byte_test",
+ "byte_test": {
+ "nbytes": 4,
+ "offset": 4,
+ "base": "unset",
+ "flags": [
+ "little_endian"
+ ]
+ }
+ }
+ ]
+ },
+ {
+ "name": "dce_stub_data",
+ "direction": "toserver",
+ "is_mpm": true,
+ "app_proto": "smb",
+ "progress": 0,
+ "matches": [
+ {
+ "name": "content",
+ "content": {
+ "pattern": "abc",
+ "length": 3,
+ "nocase": false,
+ "negated": false,
+ "starts_with": false,
+ "ends_with": false,
+ "is_mpm": true,
+ "no_double_inspect": false,
+ "fast_pattern": false,
+ "relative_next": true
+ }
+ },
+ {
+ "name": "byte_extract"
+ },
+ {
+ "name": "byte_test",
+ "byte_test": {
+ "nbytes": 4,
+ "offset": 4,
+ "base": "unset",
+ "flags": [
+ "little_endian"
+ ]
+ }
+ }
+ ]
+ }
+ ],
+ "lists": {},
+ "mpm": {
+ "buffer": "dce_stub_data",
+ "pattern": "abc",
+ "length": 3,
+ "nocase": false,
+ "negated": false,
+ "starts_with": false,
+ "ends_with": false,
+ "is_mpm": true,
+ "no_double_inspect": false,
+ "fast_pattern": false,
+ "relative_next": true
+ }
+ }
+
+.. _detailed-flowcharts-sig-type:
+
+Detailed Flowcharts
+-------------------
+
+A look into the illustrated overall representation of functions or paths that
+determine signature types.
+
+.. _flowchart-ip-only-sig-type:
+
+IP Only and IP Only with negated addresses
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+``ip_only`` and ``like_ip_only`` flows.
+
+.. image:: rule-types/IP-Only.png
+ :align: center
+ :alt: A flowchart representing the SignatureIsIPOnly function.
+
+.. _flowchart-pd-only-sig-type:
+
+Protocol Detection Only
+^^^^^^^^^^^^^^^^^^^^^^^
+
+``pd_only`` flow.
+
+.. image:: rule-types/PD-only.png
+ :align: center
+ :width: 400
+ :alt: A flowchart representing the SignatureIsPDOnly function.
+
+.. _flowchart-app-layer-packet-app-tx-stream-sig-types:
+
+Application Layer Protocol, Transaction, Packet, Stream and Stream-Packet rules
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+``app_layer``, ``app_tx``, ``pkt``, ``stream`` and ``stream-pkt`` flows.
+
+``REQUIRE_PACKET_`` and ``REQUIRE_STREAM`` can be seen as flags ``need_packet``
+and ``need_stream`` in the ``engine-analysis`` output.
+
+.. image:: rule-types/APP_Layer-Packet-TX-Stream.png
+ :align: center
+ :alt: A flowchart representing the portion of SignatureSetType function
+ that handles app_layer, app_tx, stream, pkt_stream and pkt rules.
--- /dev/null
+<mxfile host="app.diagrams.net" agent="Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:134.0) Gecko/20100101 Firefox/134.0" version="26.0.5">
+ <diagram id="C5RBs43oDa-KdzZeNtuy" name="Page-1">
+ <mxGraphModel dx="1434" dy="792" grid="1" gridSize="10" guides="1" tooltips="1" connect="1" arrows="1" fold="1" page="1" pageScale="1" pageWidth="827" pageHeight="1169" math="0" shadow="0">
+ <root>
+ <mxCell id="WIyWlLk6GJQsqaUBKTNV-0" />
+ <mxCell id="WIyWlLk6GJQsqaUBKTNV-1" parent="WIyWlLk6GJQsqaUBKTNV-0" />
+ <mxCell id="WIyWlLk6GJQsqaUBKTNV-2" value="" style="rounded=0;html=1;jettySize=auto;orthogonalLoop=1;fontSize=11;endArrow=blockThin;endFill=1;endSize=8;strokeWidth=1;shadow=0;labelBackgroundColor=none;edgeStyle=orthogonalEdgeStyle;exitX=0;exitY=0.5;exitDx=0;exitDy=0;textShadow=0;" parent="WIyWlLk6GJQsqaUBKTNV-1" source="0s5H1ICuEW0THiAgHV-k-6" target="WIyWlLk6GJQsqaUBKTNV-6" edge="1">
+ <mxGeometry relative="1" as="geometry">
+ <mxPoint x="499" y="108" as="sourcePoint" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="WIyWlLk6GJQsqaUBKTNV-5" value="Yes" style="edgeStyle=orthogonalEdgeStyle;rounded=0;html=1;jettySize=auto;orthogonalLoop=1;fontSize=15;endArrow=blockThin;endFill=1;endSize=8;strokeWidth=1;shadow=0;labelBackgroundColor=none;textShadow=0;" parent="WIyWlLk6GJQsqaUBKTNV-1" source="WIyWlLk6GJQsqaUBKTNV-6" target="WIyWlLk6GJQsqaUBKTNV-7" edge="1">
+ <mxGeometry y="10" relative="1" as="geometry">
+ <mxPoint as="offset" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="eGOkAom5l4kSlUUYHeej-0" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=blockThin;endFill=1;" edge="1" parent="WIyWlLk6GJQsqaUBKTNV-1" source="WIyWlLk6GJQsqaUBKTNV-6" target="WIyWlLk6GJQsqaUBKTNV-10">
+ <mxGeometry relative="1" as="geometry" />
+ </mxCell>
+ <mxCell id="eGOkAom5l4kSlUUYHeej-1" value="No" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=15;" vertex="1" connectable="0" parent="eGOkAom5l4kSlUUYHeej-0">
+ <mxGeometry x="0.0556" y="3" relative="1" as="geometry">
+ <mxPoint x="9" y="-3" as="offset" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="WIyWlLk6GJQsqaUBKTNV-6" value="<div>buffer</div><div>packet_engine?</div>" style="rhombus;whiteSpace=wrap;html=1;shadow=1;fontFamily=Helvetica;fontSize=15;align=center;strokeWidth=1;spacing=6;spacingTop=-4;textShadow=0;" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
+ <mxGeometry x="89.38" y="187" width="156.25" height="110" as="geometry" />
+ </mxCell>
+ <mxCell id="WIyWlLk6GJQsqaUBKTNV-7" value="Packet" style="rounded=1;whiteSpace=wrap;html=1;fontSize=15;glass=0;strokeWidth=1;shadow=1;fillColor=#FFCC99;labelBackgroundColor=none;textShadow=0;" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
+ <mxGeometry x="813" y="222" width="120" height="40" as="geometry" />
+ </mxCell>
+ <mxCell id="WIyWlLk6GJQsqaUBKTNV-9" value="Yes" style="edgeStyle=orthogonalEdgeStyle;rounded=0;html=1;jettySize=auto;orthogonalLoop=1;fontSize=15;endArrow=blockThin;endFill=1;endSize=8;strokeWidth=1;shadow=0;labelBackgroundColor=none;textShadow=0;" parent="WIyWlLk6GJQsqaUBKTNV-1" source="WIyWlLk6GJQsqaUBKTNV-10" target="WIyWlLk6GJQsqaUBKTNV-12" edge="1">
+ <mxGeometry y="10" relative="1" as="geometry">
+ <mxPoint as="offset" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="xHfLyH90HpsRTlA_s4lh-2" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=blockThin;endFill=1;labelBackgroundColor=none;textShadow=0;" parent="WIyWlLk6GJQsqaUBKTNV-1" source="WIyWlLk6GJQsqaUBKTNV-10" target="xHfLyH90HpsRTlA_s4lh-1" edge="1">
+ <mxGeometry relative="1" as="geometry" />
+ </mxCell>
+ <mxCell id="xHfLyH90HpsRTlA_s4lh-4" value="No" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=15;labelBackgroundColor=none;textShadow=0;" parent="xHfLyH90HpsRTlA_s4lh-2" vertex="1" connectable="0">
+ <mxGeometry x="0.2508" y="-1" relative="1" as="geometry">
+ <mxPoint x="14" y="-4" as="offset" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="WIyWlLk6GJQsqaUBKTNV-10" value="<div style="font-size: 15px;">buffer<br>frame_engine OR buffer app_engine?</div>" style="rhombus;whiteSpace=wrap;html=1;shadow=1;fontFamily=Helvetica;fontSize=15;align=center;strokeWidth=1;spacing=6;spacingTop=-4;labelBackgroundColor=none;textShadow=0;" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
+ <mxGeometry x="50" y="330" width="235" height="110" as="geometry" />
+ </mxCell>
+ <mxCell id="WIyWlLk6GJQsqaUBKTNV-11" value="Application Layer Protocol" style="rounded=1;whiteSpace=wrap;html=1;fontSize=15;glass=0;strokeWidth=1;shadow=1;fillColor=#B9E0A5;labelBackgroundColor=none;textShadow=0;" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
+ <mxGeometry x="304" y="765" width="170" height="50" as="geometry" />
+ </mxCell>
+ <mxCell id="WIyWlLk6GJQsqaUBKTNV-12" value="Application Layer Protocol Transaction" style="rounded=1;whiteSpace=wrap;html=1;fontSize=15;glass=0;strokeWidth=1;shadow=1;fillColor=#67AB9F;labelBackgroundColor=none;textShadow=0;" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
+ <mxGeometry x="808" y="350" width="130" height="70" as="geometry" />
+ </mxCell>
+ <mxCell id="xHfLyH90HpsRTlA_s4lh-6" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;entryX=0.5;entryY=0;entryDx=0;entryDy=0;endArrow=blockThin;endFill=1;labelBackgroundColor=none;textShadow=0;" parent="WIyWlLk6GJQsqaUBKTNV-1" source="xHfLyH90HpsRTlA_s4lh-1" target="xHfLyH90HpsRTlA_s4lh-8" edge="1">
+ <mxGeometry relative="1" as="geometry">
+ <mxPoint x="167.4999999999999" y="740" as="targetPoint" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="xHfLyH90HpsRTlA_s4lh-7" value="No" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=15;labelBackgroundColor=none;textShadow=0;" parent="xHfLyH90HpsRTlA_s4lh-6" vertex="1" connectable="0">
+ <mxGeometry x="-0.2257" y="2" relative="1" as="geometry">
+ <mxPoint x="11" as="offset" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="xHfLyH90HpsRTlA_s4lh-9" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=blockThin;endFill=1;labelBackgroundColor=none;textShadow=0;" parent="WIyWlLk6GJQsqaUBKTNV-1" source="xHfLyH90HpsRTlA_s4lh-1" target="xHfLyH90HpsRTlA_s4lh-11" edge="1">
+ <mxGeometry relative="1" as="geometry">
+ <mxPoint x="352.5" y="600" as="targetPoint" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="xHfLyH90HpsRTlA_s4lh-10" value="Yes" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=15;labelBackgroundColor=none;textShadow=0;" parent="xHfLyH90HpsRTlA_s4lh-9" vertex="1" connectable="0">
+ <mxGeometry x="-0.0137" y="3" relative="1" as="geometry">
+ <mxPoint x="-2" y="-9" as="offset" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="xHfLyH90HpsRTlA_s4lh-1" value="<div><br></div><div>Payload&nbsp;</div><div>and/or<br>Stream match?</div><div><br></div>" style="rhombus;whiteSpace=wrap;html=1;shadow=1;fontFamily=Helvetica;fontSize=15;align=center;strokeWidth=1;spacing=6;spacingTop=-4;labelBackgroundColor=none;textShadow=0;" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
+ <mxGeometry x="71.25" y="472.5" width="192.5" height="110" as="geometry" />
+ </mxCell>
+ <mxCell id="xHfLyH90HpsRTlA_s4lh-26" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;entryX=0;entryY=0.5;entryDx=0;entryDy=0;exitX=1;exitY=0.5;exitDx=0;exitDy=0;endArrow=blockThin;endFill=1;labelBackgroundColor=none;textShadow=0;" parent="WIyWlLk6GJQsqaUBKTNV-1" source="xHfLyH90HpsRTlA_s4lh-8" target="ePn_FxX4DdHERsb3t1WL-1" edge="1">
+ <mxGeometry relative="1" as="geometry">
+ <mxPoint x="502.5" y="135" as="targetPoint" />
+ <mxPoint x="312.5" y="795" as="sourcePoint" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="xHfLyH90HpsRTlA_s4lh-27" value="Yes" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=15;labelBackgroundColor=none;textShadow=0;" parent="xHfLyH90HpsRTlA_s4lh-26" vertex="1" connectable="0">
+ <mxGeometry x="-0.9663" y="-1" relative="1" as="geometry">
+ <mxPoint x="65" y="-16" as="offset" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="xHfLyH90HpsRTlA_s4lh-28" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=blockThin;endFill=1;labelBackgroundColor=none;textShadow=0;" parent="WIyWlLk6GJQsqaUBKTNV-1" source="xHfLyH90HpsRTlA_s4lh-8" target="xHfLyH90HpsRTlA_s4lh-29" edge="1">
+ <mxGeometry relative="1" as="geometry">
+ <mxPoint x="167.4999999999999" y="900" as="targetPoint" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="xHfLyH90HpsRTlA_s4lh-30" value="No" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=15;labelBackgroundColor=none;textShadow=0;" parent="xHfLyH90HpsRTlA_s4lh-28" vertex="1" connectable="0">
+ <mxGeometry x="-0.0063" y="1" relative="1" as="geometry">
+ <mxPoint x="15" y="-5" as="offset" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="xHfLyH90HpsRTlA_s4lh-8" value="<div><div><br></div></div><div>Non-payload</div><div>per-packet match?</div><div><br></div>" style="rhombus;whiteSpace=wrap;html=1;shadow=1;fontFamily=Helvetica;fontSize=15;align=center;strokeWidth=1;spacing=6;spacingTop=-4;labelBackgroundColor=none;textShadow=0;" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
+ <mxGeometry x="71.25" y="620" width="192.5" height="100" as="geometry" />
+ </mxCell>
+ <mxCell id="xHfLyH90HpsRTlA_s4lh-13" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;entryX=0;entryY=0.5;entryDx=0;entryDy=0;endArrow=blockThin;endFill=1;labelBackgroundColor=none;textShadow=0;" parent="WIyWlLk6GJQsqaUBKTNV-1" source="xHfLyH90HpsRTlA_s4lh-11" target="ePn_FxX4DdHERsb3t1WL-0" edge="1">
+ <mxGeometry relative="1" as="geometry">
+ <mxPoint x="692.5" y="185" as="targetPoint" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="IUO5ygfKNNC4OAWbKBHn-0" value="Yes" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=15;labelBackgroundColor=none;textShadow=0;" parent="xHfLyH90HpsRTlA_s4lh-13" vertex="1" connectable="0">
+ <mxGeometry x="-0.3438" y="-1" relative="1" as="geometry">
+ <mxPoint y="-16" as="offset" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="xHfLyH90HpsRTlA_s4lh-16" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=blockThin;endFill=1;entryX=0;entryY=0.5;entryDx=0;entryDy=0;labelBackgroundColor=none;textShadow=0;" parent="WIyWlLk6GJQsqaUBKTNV-1" source="xHfLyH90HpsRTlA_s4lh-11" target="xHfLyH90HpsRTlA_s4lh-17" edge="1">
+ <mxGeometry relative="1" as="geometry">
+ <mxPoint x="657.5" y="720" as="targetPoint" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="xHfLyH90HpsRTlA_s4lh-21" value="No" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=15;labelBackgroundColor=none;textShadow=0;" parent="xHfLyH90HpsRTlA_s4lh-16" vertex="1" connectable="0">
+ <mxGeometry x="-0.3914" y="1" relative="1" as="geometry">
+ <mxPoint x="13" y="-19" as="offset" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="xHfLyH90HpsRTlA_s4lh-11" value="<div style="font-size: 15px;">flag<br>REQUIRE_PACKET<br>and not flag<br>REQUIRE_STREAM</div><div><br></div>" style="rhombus;whiteSpace=wrap;html=1;fontSize=15;labelBackgroundColor=none;textShadow=0;shadow=1;" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
+ <mxGeometry x="315" y="456.25" width="247" height="142.5" as="geometry" />
+ </mxCell>
+ <mxCell id="xHfLyH90HpsRTlA_s4lh-20" value="" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=blockThin;endFill=1;labelBackgroundColor=none;textShadow=0;" parent="WIyWlLk6GJQsqaUBKTNV-1" source="xHfLyH90HpsRTlA_s4lh-17" target="xHfLyH90HpsRTlA_s4lh-19" edge="1">
+ <mxGeometry relative="1" as="geometry" />
+ </mxCell>
+ <mxCell id="xHfLyH90HpsRTlA_s4lh-23" value="Yes" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=15;labelBackgroundColor=none;textShadow=0;" parent="xHfLyH90HpsRTlA_s4lh-20" vertex="1" connectable="0">
+ <mxGeometry x="0.2675" y="2" relative="1" as="geometry">
+ <mxPoint x="-14" y="-12" as="offset" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="xHfLyH90HpsRTlA_s4lh-24" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=0.5;exitY=1;exitDx=0;exitDy=0;entryX=0;entryY=0.5;entryDx=0;entryDy=0;endArrow=blockThin;endFill=1;labelBackgroundColor=none;textShadow=0;" parent="WIyWlLk6GJQsqaUBKTNV-1" source="xHfLyH90HpsRTlA_s4lh-17" target="xHfLyH90HpsRTlA_s4lh-25" edge="1">
+ <mxGeometry relative="1" as="geometry">
+ <mxPoint x="680.5" y="940" as="targetPoint" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="xHfLyH90HpsRTlA_s4lh-35" value="No" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=15;labelBackgroundColor=none;textShadow=0;" parent="xHfLyH90HpsRTlA_s4lh-24" vertex="1" connectable="0">
+ <mxGeometry x="-0.2" y="1" relative="1" as="geometry">
+ <mxPoint x="25" y="-11" as="offset" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="xHfLyH90HpsRTlA_s4lh-17" value="<div style="font-size: 15px;">flag<br>REQUIRE_STREAM<br>and not flag<br>REQUIRE_PACKET</div><div style="font-size: 15px;"><br></div>" style="rhombus;whiteSpace=wrap;html=1;fontSize=15;labelBackgroundColor=none;textShadow=0;shadow=1;" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
+ <mxGeometry x="535" y="560" width="220" height="155" as="geometry" />
+ </mxCell>
+ <mxCell id="xHfLyH90HpsRTlA_s4lh-19" value="Stream" style="whiteSpace=wrap;html=1;rounded=1;fillColor=#FF9999;fontSize=15;labelBackgroundColor=none;textShadow=0;shadow=1;" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
+ <mxGeometry x="813" y="607.5" width="120" height="60" as="geometry" />
+ </mxCell>
+ <mxCell id="xHfLyH90HpsRTlA_s4lh-25" value="Packet-Stream" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#E09F63;fontSize=15;labelBackgroundColor=none;textShadow=0;shadow=1;" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
+ <mxGeometry x="809.5" y="730" width="127" height="60" as="geometry" />
+ </mxCell>
+ <mxCell id="xHfLyH90HpsRTlA_s4lh-31" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=blockThin;endFill=1;labelBackgroundColor=none;textShadow=0;" parent="WIyWlLk6GJQsqaUBKTNV-1" source="xHfLyH90HpsRTlA_s4lh-29" target="WIyWlLk6GJQsqaUBKTNV-11" edge="1">
+ <mxGeometry relative="1" as="geometry" />
+ </mxCell>
+ <mxCell id="xHfLyH90HpsRTlA_s4lh-32" value="Yes" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=15;labelBackgroundColor=none;textShadow=0;" parent="xHfLyH90HpsRTlA_s4lh-31" vertex="1" connectable="0">
+ <mxGeometry x="0.0571" relative="1" as="geometry">
+ <mxPoint x="-10" y="-12" as="offset" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="xHfLyH90HpsRTlA_s4lh-33" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;entryX=0;entryY=0.5;entryDx=0;entryDy=0;exitX=0.5;exitY=1;exitDx=0;exitDy=0;endArrow=blockThin;endFill=1;labelBackgroundColor=none;textShadow=0;" parent="WIyWlLk6GJQsqaUBKTNV-1" source="xHfLyH90HpsRTlA_s4lh-29" target="ePn_FxX4DdHERsb3t1WL-2" edge="1">
+ <mxGeometry relative="1" as="geometry" />
+ </mxCell>
+ <mxCell id="xHfLyH90HpsRTlA_s4lh-34" value="No" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=15;labelBackgroundColor=none;textShadow=0;" parent="xHfLyH90HpsRTlA_s4lh-33" vertex="1" connectable="0">
+ <mxGeometry x="-0.9653" y="2" relative="1" as="geometry">
+ <mxPoint x="10" y="16" as="offset" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="xHfLyH90HpsRTlA_s4lh-29" value="<div style="font-size: 15px;">APP LAYER ?<br style="font-size: 15px;"></div>" style="rhombus;whiteSpace=wrap;html=1;fontSize=15;labelBackgroundColor=none;textShadow=0;shadow=1;" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
+ <mxGeometry x="98.75" y="755" width="137.5" height="70" as="geometry" />
+ </mxCell>
+ <mxCell id="ePn_FxX4DdHERsb3t1WL-0" value="Packet" style="rounded=1;whiteSpace=wrap;html=1;fontSize=15;glass=0;strokeWidth=1;shadow=1;fillColor=#FFCC99;labelBackgroundColor=none;textShadow=0;" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
+ <mxGeometry x="813" y="507.5" width="120" height="40" as="geometry" />
+ </mxCell>
+ <mxCell id="ePn_FxX4DdHERsb3t1WL-1" value="Packet" style="rounded=1;whiteSpace=wrap;html=1;fontSize=15;glass=0;strokeWidth=1;shadow=1;fillColor=#FFCC99;labelBackgroundColor=none;textShadow=0;" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
+ <mxGeometry x="813" y="833" width="120" height="40" as="geometry" />
+ </mxCell>
+ <mxCell id="ePn_FxX4DdHERsb3t1WL-2" value="Packet" style="rounded=1;whiteSpace=wrap;html=1;fontSize=15;glass=0;strokeWidth=1;shadow=1;fillColor=#FFCC99;textShadow=0;" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
+ <mxGeometry x="329" y="851" width="120" height="40" as="geometry" />
+ </mxCell>
+ <mxCell id="ePn_FxX4DdHERsb3t1WL-5" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=0.5;exitY=1;exitDx=0;exitDy=0;textShadow=0;" parent="WIyWlLk6GJQsqaUBKTNV-1" source="ePn_FxX4DdHERsb3t1WL-2" target="ePn_FxX4DdHERsb3t1WL-2" edge="1">
+ <mxGeometry relative="1" as="geometry" />
+ </mxCell>
+ <mxCell id="0s5H1ICuEW0THiAgHV-k-6" value="Signature" style="shape=parallelogram;html=1;strokeWidth=1;perimeter=parallelogramPerimeter;whiteSpace=wrap;rounded=1;arcSize=12;size=0.23;fontSize=15;textShadow=0;shadow=1;" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
+ <mxGeometry x="474" y="126" width="150" height="60" as="geometry" />
+ </mxCell>
+ </root>
+ </mxGraphModel>
+ </diagram>
+</mxfile>
--- /dev/null
+<mxfile host="app.diagrams.net" agent="Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:134.0) Gecko/20100101 Firefox/134.0" version="26.0.5">
+ <diagram name="Page-1" id="0w9xQVbQPSFQAx9yTVe1">
+ <mxGraphModel dx="1936" dy="932" grid="1" gridSize="10" guides="1" tooltips="1" connect="1" arrows="1" fold="1" page="1" pageScale="1" pageWidth="850" pageHeight="1100" math="0" shadow="0">
+ <root>
+ <mxCell id="0" />
+ <mxCell id="1" parent="0" />
+ <mxCell id="LDplG8UmEiPDtL-p8i6A-6" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;fontSize=15;entryX=0.5;entryY=1;entryDx=0;entryDy=0;endArrow=blockThin;endFill=1;" parent="1" source="LDplG8UmEiPDtL-p8i6A-2" target="0AOyOH4djSygT5G8EftG-2" edge="1">
+ <mxGeometry relative="1" as="geometry">
+ <mxPoint x="1736" y="433" as="targetPoint" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="0AOyOH4djSygT5G8EftG-3" value="No" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=15;" parent="LDplG8UmEiPDtL-p8i6A-6" vertex="1" connectable="0">
+ <mxGeometry x="-0.0364" y="-1" relative="1" as="geometry">
+ <mxPoint x="15" y="-2" as="offset" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="HzgoOLMbdf1Lhczd7Y_U-3" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;entryX=0;entryY=0.5;entryDx=0;entryDy=0;fontSize=15;endArrow=blockThin;endFill=1;" parent="1" source="LDplG8UmEiPDtL-p8i6A-2" target="HzgoOLMbdf1Lhczd7Y_U-1" edge="1">
+ <mxGeometry relative="1" as="geometry">
+ <mxPoint x="1327" y="859" as="targetPoint" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="D7SFLykBpT77EkUcGLZz-3" value="<div>Yes</div>" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=15;" parent="HzgoOLMbdf1Lhczd7Y_U-3" vertex="1" connectable="0">
+ <mxGeometry x="-0.2" relative="1" as="geometry">
+ <mxPoint x="-3" y="-16" as="offset" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="LDplG8UmEiPDtL-p8i6A-2" value="<div>ALPROTO</div><div>UNKNOWN?</div>" style="rhombus;whiteSpace=wrap;html=1;fontSize=15;shadow=1;" parent="1" vertex="1">
+ <mxGeometry x="636" y="697" width="185" height="90" as="geometry" />
+ </mxCell>
+ <mxCell id="LDplG8UmEiPDtL-p8i6A-13" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;fontSize=15;endArrow=blockThin;endFill=1;" parent="1" source="LDplG8UmEiPDtL-p8i6A-9" target="LDplG8UmEiPDtL-p8i6A-12" edge="1">
+ <mxGeometry relative="1" as="geometry">
+ <mxPoint x="1230" y="750" as="sourcePoint" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="zVmsChvBqX3Bo2thPNO_-7" value="No" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=15;" parent="LDplG8UmEiPDtL-p8i6A-13" vertex="1" connectable="0">
+ <mxGeometry x="0.0618" y="-2" relative="1" as="geometry">
+ <mxPoint x="-3" y="-16" as="offset" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="0AOyOH4djSygT5G8EftG-6" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;fontSize=15;endArrow=blockThin;endFill=1;" parent="1" source="LDplG8UmEiPDtL-p8i6A-9" target="0AOyOH4djSygT5G8EftG-5" edge="1">
+ <mxGeometry relative="1" as="geometry" />
+ </mxCell>
+ <mxCell id="0AOyOH4djSygT5G8EftG-7" value="Yes" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=15;" parent="0AOyOH4djSygT5G8EftG-6" vertex="1" connectable="0">
+ <mxGeometry x="0.1538" y="1" relative="1" as="geometry">
+ <mxPoint x="19" y="9" as="offset" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="LDplG8UmEiPDtL-p8i6A-9" value="APP LAYER?" style="rhombus;whiteSpace=wrap;html=1;fontSize=15;shadow=1;" parent="1" vertex="1">
+ <mxGeometry x="1136" y="702" width="175" height="80" as="geometry" />
+ </mxCell>
+ <mxCell id="LDplG8UmEiPDtL-p8i6A-14" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;entryX=0.5;entryY=1;entryDx=0;entryDy=0;exitX=0.5;exitY=0;exitDx=0;exitDy=0;fontSize=15;endArrow=blockThin;endFill=1;" parent="1" source="LDplG8UmEiPDtL-p8i6A-12" target="0AOyOH4djSygT5G8EftG-8" edge="1">
+ <mxGeometry relative="1" as="geometry">
+ <mxPoint x="1044" y="940" as="targetPoint" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="LDplG8UmEiPDtL-p8i6A-15" value="Yes" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=15;" parent="LDplG8UmEiPDtL-p8i6A-14" vertex="1" connectable="0">
+ <mxGeometry x="-0.3802" y="2" relative="1" as="geometry">
+ <mxPoint x="21" y="-9" as="offset" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="LDplG8UmEiPDtL-p8i6A-18" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;fontSize=15;endArrow=blockThin;endFill=1;exitX=1;exitY=0.5;exitDx=0;exitDy=0;entryX=1;entryY=0.5;entryDx=0;entryDy=0;" parent="1" source="LDplG8UmEiPDtL-p8i6A-12" target="LDplG8UmEiPDtL-p8i6A-16" edge="1">
+ <mxGeometry relative="1" as="geometry">
+ <mxPoint x="1549" y="740" as="sourcePoint" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="zVmsChvBqX3Bo2thPNO_-8" value="No" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=15;" parent="LDplG8UmEiPDtL-p8i6A-18" vertex="1" connectable="0">
+ <mxGeometry x="-0.2857" relative="1" as="geometry">
+ <mxPoint x="-14" y="24" as="offset" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="LDplG8UmEiPDtL-p8i6A-12" value="<div><span>Flow direction</span></div><div><span>set?</span></div>" style="rhombus;whiteSpace=wrap;html=1;fontSize=15;shadow=1;" parent="1" vertex="1">
+ <mxGeometry x="1357.75" y="705.25" width="177.5" height="73.75" as="geometry" />
+ </mxCell>
+ <mxCell id="LDplG8UmEiPDtL-p8i6A-17" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;fontSize=15;entryX=0.5;entryY=0;entryDx=0;entryDy=0;endArrow=blockThin;endFill=1;" parent="1" source="LDplG8UmEiPDtL-p8i6A-16" target="0AOyOH4djSygT5G8EftG-21" edge="1">
+ <mxGeometry relative="1" as="geometry">
+ <mxPoint x="1719" y="764" as="targetPoint" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="HzgoOLMbdf1Lhczd7Y_U-20" value="Yes" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=15;" parent="LDplG8UmEiPDtL-p8i6A-17" vertex="1" connectable="0">
+ <mxGeometry x="-0.6767" relative="1" as="geometry">
+ <mxPoint x="20" y="20" as="offset" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="HzgoOLMbdf1Lhczd7Y_U-16" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;fontSize=15;endArrow=blockThin;endFill=1;" parent="1" source="LDplG8UmEiPDtL-p8i6A-16" target="n4viz4upnR27VTd0IMI--3" edge="1">
+ <mxGeometry relative="1" as="geometry">
+ <mxPoint x="1280" y="1070" as="targetPoint" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="zVmsChvBqX3Bo2thPNO_-9" value="No" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=15;" parent="HzgoOLMbdf1Lhczd7Y_U-16" vertex="1" connectable="0">
+ <mxGeometry x="-0.7663" y="-1" relative="1" as="geometry">
+ <mxPoint x="-22" y="-13" as="offset" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="LDplG8UmEiPDtL-p8i6A-16" value="<div>Buffer</div><div>inspection?</div>" style="rhombus;whiteSpace=wrap;html=1;fontSize=15;shadow=1;" parent="1" vertex="1">
+ <mxGeometry x="1362.5" y="834" width="168" height="80" as="geometry" />
+ </mxCell>
+ <mxCell id="HzgoOLMbdf1Lhczd7Y_U-24" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;fontSize=15;endArrow=blockThin;endFill=1;exitX=0;exitY=0.5;exitDx=0;exitDy=0;entryX=0;entryY=0.5;entryDx=0;entryDy=0;" parent="1" source="LDplG8UmEiPDtL-p8i6A-20" target="HzgoOLMbdf1Lhczd7Y_U-23" edge="1">
+ <mxGeometry relative="1" as="geometry">
+ <mxPoint x="477.5" y="1321" as="sourcePoint" />
+ <mxPoint x="331" y="1321" as="targetPoint" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="zVmsChvBqX3Bo2thPNO_-11" value="No" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=15;" parent="HzgoOLMbdf1Lhczd7Y_U-24" vertex="1" connectable="0">
+ <mxGeometry x="0.0333" y="-2" relative="1" as="geometry">
+ <mxPoint x="-13" y="-16" as="offset" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="0AOyOH4djSygT5G8EftG-13" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;fontSize=15;endArrow=blockThin;endFill=1;" parent="1" source="LDplG8UmEiPDtL-p8i6A-20" target="0AOyOH4djSygT5G8EftG-12" edge="1">
+ <mxGeometry relative="1" as="geometry" />
+ </mxCell>
+ <mxCell id="0AOyOH4djSygT5G8EftG-14" value="Yes" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=15;" parent="0AOyOH4djSygT5G8EftG-13" vertex="1" connectable="0">
+ <mxGeometry x="-0.1333" y="-1" relative="1" as="geometry">
+ <mxPoint x="19" y="-2" as="offset" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="LDplG8UmEiPDtL-p8i6A-20" value="<div>Flowbits<br>AND NOT</div><div>flowbits:set</div>" style="rhombus;whiteSpace=wrap;html=1;fontSize=15;shadow=1;" parent="1" vertex="1">
+ <mxGeometry x="660" y="823" width="153" height="102" as="geometry" />
+ </mxCell>
+ <mxCell id="LDplG8UmEiPDtL-p8i6A-28" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=0.5;exitY=1;exitDx=0;exitDy=0;fontSize=15;endArrow=blockThin;endFill=1;" parent="1" source="LDplG8UmEiPDtL-p8i6A-26" target="HzgoOLMbdf1Lhczd7Y_U-11" edge="1">
+ <mxGeometry relative="1" as="geometry">
+ <mxPoint x="1577.75" y="900" as="targetPoint" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="LDplG8UmEiPDtL-p8i6A-29" value="Yes" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=15;" parent="LDplG8UmEiPDtL-p8i6A-28" vertex="1" connectable="0">
+ <mxGeometry x="-0.3683" y="2" relative="1" as="geometry">
+ <mxPoint x="16" y="2" as="offset" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="HzgoOLMbdf1Lhczd7Y_U-14" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;fontSize=15;endArrow=blockThin;endFill=1;" parent="1" source="LDplG8UmEiPDtL-p8i6A-26" target="LDplG8UmEiPDtL-p8i6A-31" edge="1">
+ <mxGeometry relative="1" as="geometry">
+ <mxPoint x="1309" y="1130" as="targetPoint" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="zVmsChvBqX3Bo2thPNO_-13" value="No" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=15;" parent="HzgoOLMbdf1Lhczd7Y_U-14" vertex="1" connectable="0">
+ <mxGeometry x="0.0133" y="-1" relative="1" as="geometry">
+ <mxPoint y="-15" as="offset" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="LDplG8UmEiPDtL-p8i6A-26" value="Post Match:<br><div>Flowbits&nbsp;</div><div>AND NOT flowbits:set</div>" style="rhombus;whiteSpace=wrap;html=1;fontSize=15;shadow=1;" parent="1" vertex="1">
+ <mxGeometry x="853.5" y="1068" width="251" height="124" as="geometry" />
+ </mxCell>
+ <mxCell id="LDplG8UmEiPDtL-p8i6A-33" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;fontSize=15;entryX=0;entryY=0.5;entryDx=0;entryDy=0;endArrow=blockThin;endFill=1;" parent="1" target="0AOyOH4djSygT5G8EftG-23" edge="1">
+ <mxGeometry relative="1" as="geometry">
+ <mxPoint x="1485.5" y="1150" as="targetPoint" />
+ <mxPoint x="1324" y="1130" as="sourcePoint" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="HzgoOLMbdf1Lhczd7Y_U-12" value="Yes" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=15;" parent="LDplG8UmEiPDtL-p8i6A-33" vertex="1" connectable="0">
+ <mxGeometry x="0.3875" y="2" relative="1" as="geometry">
+ <mxPoint x="-18" y="-12" as="offset" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="LDplG8UmEiPDtL-p8i6A-36" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=0.5;exitY=1;exitDx=0;exitDy=0;fontSize=15;endArrow=blockThin;endFill=1;" parent="1" source="LDplG8UmEiPDtL-p8i6A-31" target="0AOyOH4djSygT5G8EftG-25" edge="1">
+ <mxGeometry relative="1" as="geometry">
+ <mxPoint x="1266.5" y="1230" as="targetPoint" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="HzgoOLMbdf1Lhczd7Y_U-13" value="No" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=15;" parent="LDplG8UmEiPDtL-p8i6A-36" vertex="1" connectable="0">
+ <mxGeometry x="-0.0667" y="-1" relative="1" as="geometry">
+ <mxPoint x="18" y="-2" as="offset" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="LDplG8UmEiPDtL-p8i6A-31" value="<div>Contains negated</div><div>IP address?</div>" style="rhombus;whiteSpace=wrap;html=1;fontSize=15;shadow=1;" parent="1" vertex="1">
+ <mxGeometry x="1161.5" y="1065" width="168.5" height="130" as="geometry" />
+ </mxCell>
+ <mxCell id="HzgoOLMbdf1Lhczd7Y_U-4" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=0.5;exitY=0;exitDx=0;exitDy=0;fontSize=15;entryX=0.5;entryY=1;entryDx=0;entryDy=0;endArrow=blockThin;endFill=1;" parent="1" source="HzgoOLMbdf1Lhczd7Y_U-1" target="0AOyOH4djSygT5G8EftG-4" edge="1">
+ <mxGeometry relative="1" as="geometry">
+ <mxPoint x="1457" y="389" as="targetPoint" />
+ <mxPoint x="1327" y="589" as="sourcePoint" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="zVmsChvBqX3Bo2thPNO_-5" value="Yes" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=15;" parent="HzgoOLMbdf1Lhczd7Y_U-4" vertex="1" connectable="0">
+ <mxGeometry x="-0.8787" y="4" relative="1" as="geometry">
+ <mxPoint x="22" y="-17" as="offset" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="HzgoOLMbdf1Lhczd7Y_U-8" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;fontSize=15;endArrow=blockThin;endFill=1;" parent="1" source="HzgoOLMbdf1Lhczd7Y_U-1" target="LDplG8UmEiPDtL-p8i6A-9" edge="1">
+ <mxGeometry relative="1" as="geometry">
+ <mxPoint x="878.5" y="1176" as="sourcePoint" />
+ <mxPoint x="1144" y="740" as="targetPoint" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="zVmsChvBqX3Bo2thPNO_-15" value="No" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=15;" parent="HzgoOLMbdf1Lhczd7Y_U-8" vertex="1" connectable="0">
+ <mxGeometry x="0.4426" y="-1" relative="1" as="geometry">
+ <mxPoint x="-18" y="-15" as="offset" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="HzgoOLMbdf1Lhczd7Y_U-1" value="<div>Payload</div><div>and<br></div><div>stream match?</div>" style="rhombus;whiteSpace=wrap;html=1;fontSize=15;shadow=1;" parent="1" vertex="1">
+ <mxGeometry x="867" y="687" width="215" height="110" as="geometry" />
+ </mxCell>
+ <mxCell id="HzgoOLMbdf1Lhczd7Y_U-7" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=1;exitY=0.5;exitDx=0;exitDy=0;fontSize=15;endArrow=blockThin;endFill=1;" parent="1" source="0AOyOH4djSygT5G8EftG-1" target="LDplG8UmEiPDtL-p8i6A-2" edge="1">
+ <mxGeometry relative="1" as="geometry">
+ <mxPoint x="541" y="743" as="sourcePoint" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="HzgoOLMbdf1Lhczd7Y_U-11" value="Not IP Only" style="rounded=1;whiteSpace=wrap;html=1;fontSize=15;shadow=1;" parent="1" vertex="1">
+ <mxGeometry x="919" y="1240" width="120" height="60" as="geometry" />
+ </mxCell>
+ <mxCell id="HzgoOLMbdf1Lhczd7Y_U-17" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=0;exitY=0.5;exitDx=0;exitDy=0;entryX=1;entryY=0.5;entryDx=0;entryDy=0;fontSize=15;endArrow=blockThin;endFill=1;" parent="1" source="HzgoOLMbdf1Lhczd7Y_U-15" target="LDplG8UmEiPDtL-p8i6A-20" edge="1">
+ <mxGeometry relative="1" as="geometry">
+ <mxPoint x="519.5" y="999" as="targetPoint" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="zVmsChvBqX3Bo2thPNO_-10" value="Yes" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=15;" parent="HzgoOLMbdf1Lhczd7Y_U-17" vertex="1" connectable="0">
+ <mxGeometry x="-0.4493" y="1" relative="1" as="geometry">
+ <mxPoint x="-16" y="-17" as="offset" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="0AOyOH4djSygT5G8EftG-16" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;fontSize=15;endArrow=blockThin;endFill=1;" parent="1" source="HzgoOLMbdf1Lhczd7Y_U-15" target="0AOyOH4djSygT5G8EftG-15" edge="1">
+ <mxGeometry relative="1" as="geometry">
+ <mxPoint x="880" y="920" as="sourcePoint" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="0AOyOH4djSygT5G8EftG-17" value="No" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=15;" parent="0AOyOH4djSygT5G8EftG-16" vertex="1" connectable="0">
+ <mxGeometry x="-0.2" y="1" relative="1" as="geometry">
+ <mxPoint x="14" as="offset" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="HzgoOLMbdf1Lhczd7Y_U-15" value="<div>IP_Only</div><div>compatible?</div>" style="rhombus;whiteSpace=wrap;html=1;fontSize=15;shadow=1;" parent="1" vertex="1">
+ <mxGeometry x="890" y="829" width="139" height="89" as="geometry" />
+ </mxCell>
+ <mxCell id="HzgoOLMbdf1Lhczd7Y_U-25" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;entryX=0;entryY=0.5;entryDx=0;entryDy=0;fontSize=15;endArrow=blockThin;endFill=1;" parent="1" source="HzgoOLMbdf1Lhczd7Y_U-23" target="LDplG8UmEiPDtL-p8i6A-26" edge="1">
+ <mxGeometry relative="1" as="geometry">
+ <mxPoint x="825" y="805" as="sourcePoint" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="zVmsChvBqX3Bo2thPNO_-12" value="Yes" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=15;" parent="HzgoOLMbdf1Lhczd7Y_U-25" vertex="1" connectable="0">
+ <mxGeometry x="-0.38" y="-2" relative="1" as="geometry">
+ <mxPoint x="6" y="-15" as="offset" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="0AOyOH4djSygT5G8EftG-10" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;fontSize=15;endArrow=blockThin;endFill=1;" parent="1" source="HzgoOLMbdf1Lhczd7Y_U-23" target="n4viz4upnR27VTd0IMI--8" edge="1">
+ <mxGeometry relative="1" as="geometry">
+ <mxPoint x="716.9411764705883" y="1240" as="targetPoint" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="0AOyOH4djSygT5G8EftG-11" value="No" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=15;" parent="0AOyOH4djSygT5G8EftG-10" vertex="1" connectable="0">
+ <mxGeometry x="-0.1333" y="2" relative="1" as="geometry">
+ <mxPoint x="10" y="-1" as="offset" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="HzgoOLMbdf1Lhczd7Y_U-23" value="Post Match:<br><div>IP_Only</div><div>compatible?</div>" style="rhombus;whiteSpace=wrap;html=1;fontSize=15;shadow=1;" parent="1" vertex="1">
+ <mxGeometry x="643.5" y="1065" width="146.5" height="130" as="geometry" />
+ </mxCell>
+ <mxCell id="0AOyOH4djSygT5G8EftG-1" value="Signature" style="shape=parallelogram;html=1;strokeWidth=1;perimeter=parallelogramPerimeter;whiteSpace=wrap;rounded=1;arcSize=12;size=0.23;fontSize=15;shadow=1;" parent="1" vertex="1">
+ <mxGeometry x="460" y="701" width="140" height="82" as="geometry" />
+ </mxCell>
+ <mxCell id="0AOyOH4djSygT5G8EftG-2" value="Not IP Only" style="rounded=1;whiteSpace=wrap;html=1;fontSize=15;shadow=1;" parent="1" vertex="1">
+ <mxGeometry x="668.5" y="582" width="120" height="60" as="geometry" />
+ </mxCell>
+ <mxCell id="0AOyOH4djSygT5G8EftG-4" value="Not IP Only" style="rounded=1;whiteSpace=wrap;html=1;fontSize=15;shadow=1;" parent="1" vertex="1">
+ <mxGeometry x="914.5" y="578" width="120" height="60" as="geometry" />
+ </mxCell>
+ <mxCell id="0AOyOH4djSygT5G8EftG-5" value="Not IP Only" style="rounded=1;whiteSpace=wrap;html=1;fontSize=15;shadow=1;" parent="1" vertex="1">
+ <mxGeometry x="1163.5" y="579" width="120" height="60" as="geometry" />
+ </mxCell>
+ <mxCell id="0AOyOH4djSygT5G8EftG-8" value="Not IP Only" style="rounded=1;whiteSpace=wrap;html=1;fontSize=15;shadow=1;" parent="1" vertex="1">
+ <mxGeometry x="1386.5" y="579" width="120" height="60" as="geometry" />
+ </mxCell>
+ <mxCell id="0AOyOH4djSygT5G8EftG-12" value="Not IP Only" style="rounded=1;whiteSpace=wrap;html=1;fontSize=15;shadow=1;" parent="1" vertex="1">
+ <mxGeometry x="676.5" y="975" width="120" height="60" as="geometry" />
+ </mxCell>
+ <mxCell id="0AOyOH4djSygT5G8EftG-15" value="Not IP Only" style="rounded=1;whiteSpace=wrap;html=1;fontSize=15;shadow=1;" parent="1" vertex="1">
+ <mxGeometry x="899.5" y="974" width="120" height="60" as="geometry" />
+ </mxCell>
+ <mxCell id="0AOyOH4djSygT5G8EftG-21" value="Not IP Only" style="rounded=1;whiteSpace=wrap;html=1;fontSize=15;shadow=1;" parent="1" vertex="1">
+ <mxGeometry x="1381.5" y="974" width="130" height="60" as="geometry" />
+ </mxCell>
+ <mxCell id="0AOyOH4djSygT5G8EftG-23" value="<font>Like IP Only</font>" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#cdeb8b;strokeColor=#36393d;fontSize=15;shadow=1;" parent="1" vertex="1">
+ <mxGeometry x="1384" y="1100" width="127.5" height="60" as="geometry" />
+ </mxCell>
+ <mxCell id="0AOyOH4djSygT5G8EftG-25" value="IP Only" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#d5e8d4;strokeColor=#000000;fontSize=15;shadow=1;" parent="1" vertex="1">
+ <mxGeometry x="1186.5" y="1240" width="120" height="60" as="geometry" />
+ </mxCell>
+ <mxCell id="n4viz4upnR27VTd0IMI--1" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;fontSize=15;endArrow=blockThin;endFill=1;" edge="1" parent="1" source="n4viz4upnR27VTd0IMI--3" target="n4viz4upnR27VTd0IMI--4">
+ <mxGeometry relative="1" as="geometry" />
+ </mxCell>
+ <mxCell id="n4viz4upnR27VTd0IMI--2" value="No" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=15;" vertex="1" connectable="0" parent="n4viz4upnR27VTd0IMI--1">
+ <mxGeometry x="-0.2" y="1" relative="1" as="geometry">
+ <mxPoint x="14" y="-4" as="offset" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="n4viz4upnR27VTd0IMI--5" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=blockThin;endFill=1;fontSize=15;" edge="1" parent="1" source="n4viz4upnR27VTd0IMI--3" target="HzgoOLMbdf1Lhczd7Y_U-15">
+ <mxGeometry relative="1" as="geometry">
+ <mxPoint x="973" y="874" as="sourcePoint" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="n4viz4upnR27VTd0IMI--6" value="Yes" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=15;" vertex="1" connectable="0" parent="n4viz4upnR27VTd0IMI--5">
+ <mxGeometry x="0.0134" y="-1" relative="1" as="geometry">
+ <mxPoint y="-14" as="offset" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="n4viz4upnR27VTd0IMI--3" value="<div>Non-payload</div><div>per-packet match?</div>" style="rhombus;whiteSpace=wrap;html=1;fontSize=15;shadow=1;" vertex="1" parent="1">
+ <mxGeometry x="1100" y="816" width="197" height="116" as="geometry" />
+ </mxCell>
+ <mxCell id="n4viz4upnR27VTd0IMI--4" value="Not IP Only" style="rounded=1;whiteSpace=wrap;html=1;fontSize=15;shadow=1;" vertex="1" parent="1">
+ <mxGeometry x="1138.5" y="974" width="120" height="60" as="geometry" />
+ </mxCell>
+ <mxCell id="n4viz4upnR27VTd0IMI--8" value="Not IP Only" style="rounded=1;whiteSpace=wrap;html=1;fontSize=15;shadow=1;" vertex="1" parent="1">
+ <mxGeometry x="657" y="1240" width="120" height="60" as="geometry" />
+ </mxCell>
+ </root>
+ </mxGraphModel>
+ </diagram>
+</mxfile>
--- /dev/null
+<mxfile host="app.diagrams.net" agent="Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0" version="24.9.1">
+ <diagram id="C5RBs43oDa-KdzZeNtuy" name="Page-1">
+ <mxGraphModel dx="2261" dy="792" grid="1" gridSize="10" guides="1" tooltips="1" connect="1" arrows="1" fold="1" page="1" pageScale="1" pageWidth="827" pageHeight="1169" math="0" shadow="0">
+ <root>
+ <mxCell id="WIyWlLk6GJQsqaUBKTNV-0" />
+ <mxCell id="WIyWlLk6GJQsqaUBKTNV-1" parent="WIyWlLk6GJQsqaUBKTNV-0" />
+ <mxCell id="WIyWlLk6GJQsqaUBKTNV-4" value="No" style="rounded=0;html=1;jettySize=auto;orthogonalLoop=1;fontSize=16;endArrow=blockThin;endFill=1;endSize=8;strokeWidth=1;shadow=1;labelBackgroundColor=none;edgeStyle=orthogonalEdgeStyle;labelBorderColor=none;textShadow=0;fontStyle=0" parent="WIyWlLk6GJQsqaUBKTNV-1" source="WIyWlLk6GJQsqaUBKTNV-6" target="WIyWlLk6GJQsqaUBKTNV-10" edge="1">
+ <mxGeometry y="20" relative="1" as="geometry">
+ <mxPoint as="offset" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="WIyWlLk6GJQsqaUBKTNV-5" value="No" style="edgeStyle=orthogonalEdgeStyle;rounded=0;html=1;jettySize=auto;orthogonalLoop=1;fontSize=16;endArrow=blockThin;endFill=1;endSize=8;strokeWidth=1;shadow=1;labelBackgroundColor=none;labelBorderColor=none;textShadow=0;entryX=0;entryY=0.5;entryDx=0;entryDy=0;fontStyle=0" parent="WIyWlLk6GJQsqaUBKTNV-1" source="2s8PCpyst4B-AYq6nZVi-2" target="WIyWlLk6GJQsqaUBKTNV-7" edge="1">
+ <mxGeometry x="0.0039" y="15" relative="1" as="geometry">
+ <mxPoint as="offset" />
+ <mxPoint x="-120" y="220" as="sourcePoint" />
+ <Array as="points">
+ <mxPoint x="-120" y="195" />
+ </Array>
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="2s8PCpyst4B-AYq6nZVi-1" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=0.5;exitY=0;exitDx=0;exitDy=0;endArrow=blockThin;endFill=1;fontSize=16;labelBackgroundColor=none;labelBorderColor=none;textShadow=0;shadow=1;fontStyle=0" parent="WIyWlLk6GJQsqaUBKTNV-1" source="WIyWlLk6GJQsqaUBKTNV-6" target="2s8PCpyst4B-AYq6nZVi-2" edge="1">
+ <mxGeometry relative="1" as="geometry">
+ <mxPoint x="-120" y="200" as="targetPoint" />
+ <Array as="points">
+ <mxPoint x="-120" y="360" />
+ <mxPoint x="-120" y="360" />
+ </Array>
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="YKtqplUdx_BT4Hee0G-G-2" value="Yes" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=16;fontStyle=0" vertex="1" connectable="0" parent="2s8PCpyst4B-AYq6nZVi-1">
+ <mxGeometry x="-0.05" y="-3" relative="1" as="geometry">
+ <mxPoint x="17" as="offset" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="WIyWlLk6GJQsqaUBKTNV-6" value="Is IpOnly" style="rhombus;html=1;shadow=1;fontFamily=Helvetica;fontSize=16;align=center;strokeWidth=1;spacing=5;spacingTop=2;whiteSpace=wrap;labelBackgroundColor=none;labelBorderColor=none;textShadow=0;spacingRight=5;spacingBottom=2;spacingLeft=5;fontStyle=0" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
+ <mxGeometry x="-170" y="390" width="100" height="80" as="geometry" />
+ </mxCell>
+ <mxCell id="WIyWlLk6GJQsqaUBKTNV-7" value="<span>IP Only</span>" style="rounded=1;html=1;fontSize=16;glass=0;strokeWidth=1;shadow=1;whiteSpace=wrap;labelBackgroundColor=none;labelBorderColor=none;textShadow=0;spacingRight=5;spacingBottom=2;spacingLeft=5;spacingTop=2;spacing=5;fontStyle=0" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
+ <mxGeometry x="213.5" y="160" width="91" height="70" as="geometry" />
+ </mxCell>
+ <mxCell id="WIyWlLk6GJQsqaUBKTNV-8" value="No" style="rounded=0;html=1;jettySize=auto;orthogonalLoop=1;fontSize=16;endArrow=blockThin;endFill=1;endSize=8;strokeWidth=1;shadow=1;labelBackgroundColor=none;edgeStyle=orthogonalEdgeStyle;labelBorderColor=none;textShadow=0;fontStyle=0" parent="WIyWlLk6GJQsqaUBKTNV-1" source="WIyWlLk6GJQsqaUBKTNV-10" target="WIyWlLk6GJQsqaUBKTNV-11" edge="1">
+ <mxGeometry x="0.3333" y="20" relative="1" as="geometry">
+ <mxPoint as="offset" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="WIyWlLk6GJQsqaUBKTNV-9" value="Yes" style="edgeStyle=orthogonalEdgeStyle;rounded=0;html=1;jettySize=auto;orthogonalLoop=1;fontSize=16;endArrow=blockThin;endFill=1;endSize=8;strokeWidth=1;shadow=1;labelBackgroundColor=none;labelBorderColor=none;textShadow=0;fontStyle=0" parent="WIyWlLk6GJQsqaUBKTNV-1" source="WIyWlLk6GJQsqaUBKTNV-10" target="WIyWlLk6GJQsqaUBKTNV-12" edge="1">
+ <mxGeometry x="-0.0769" y="20" relative="1" as="geometry">
+ <mxPoint as="offset" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="WIyWlLk6GJQsqaUBKTNV-10" value="Is DEOnly" style="rhombus;html=1;shadow=1;fontFamily=Helvetica;fontSize=16;align=center;strokeWidth=1;spacing=5;spacingTop=2;whiteSpace=wrap;labelBackgroundColor=none;labelBorderColor=none;textShadow=0;spacingRight=5;spacingBottom=2;spacingLeft=5;fontStyle=0" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
+ <mxGeometry y="390" width="100" height="80" as="geometry" />
+ </mxCell>
+ <mxCell id="WIyWlLk6GJQsqaUBKTNV-11" value="Handle <span>'Packet'</span>, <span>'Stream'</span>, '<span>AppLayer'</span> and <span>'AppLayer Transaction'</span> rule types" style="rounded=1;html=1;fontSize=16;glass=0;strokeWidth=1;shadow=1;whiteSpace=wrap;labelBackgroundColor=none;labelBorderColor=none;textShadow=0;spacingRight=5;spacingBottom=2;spacingLeft=5;spacingTop=2;spacing=5;fontStyle=0" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
+ <mxGeometry x="163.5" y="375" width="191" height="110" as="geometry" />
+ </mxCell>
+ <mxCell id="WIyWlLk6GJQsqaUBKTNV-12" value="<span>Decoder Events Only</span>" style="rounded=1;html=1;fontSize=16;glass=0;strokeWidth=1;shadow=1;whiteSpace=wrap;labelBackgroundColor=none;labelBorderColor=none;textShadow=0;spacingRight=5;spacingBottom=2;spacingLeft=5;spacingTop=2;spacing=5;fontStyle=0" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
+ <mxGeometry x="-30" y="535" width="160" height="55" as="geometry" />
+ </mxCell>
+ <mxCell id="3Z0NyFf9CSu-jNyiQ6yW-0" value="Yes" style="edgeStyle=orthogonalEdgeStyle;rounded=0;html=1;jettySize=auto;orthogonalLoop=1;fontSize=16;endArrow=blockThin;endFill=1;endSize=8;strokeWidth=1;shadow=1;labelBackgroundColor=none;labelBorderColor=none;textShadow=0;fontStyle=0" parent="WIyWlLk6GJQsqaUBKTNV-1" source="3Z0NyFf9CSu-jNyiQ6yW-1" target="3Z0NyFf9CSu-jNyiQ6yW-2" edge="1">
+ <mxGeometry x="-0.0769" y="20" relative="1" as="geometry">
+ <mxPoint as="offset" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="3Z0NyFf9CSu-jNyiQ6yW-3" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=blockThin;endFill=1;fontSize=16;labelBackgroundColor=none;labelBorderColor=none;textShadow=0;shadow=1;fontStyle=0" parent="WIyWlLk6GJQsqaUBKTNV-1" source="3Z0NyFf9CSu-jNyiQ6yW-1" target="WIyWlLk6GJQsqaUBKTNV-6" edge="1">
+ <mxGeometry relative="1" as="geometry" />
+ </mxCell>
+ <mxCell id="3Z0NyFf9CSu-jNyiQ6yW-4" value="No" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=16;labelBackgroundColor=none;labelBorderColor=none;textShadow=0;shadow=1;spacingRight=5;spacingBottom=2;spacingLeft=5;spacingTop=2;spacing=5;fontStyle=0" parent="3Z0NyFf9CSu-jNyiQ6yW-3" vertex="1" connectable="0">
+ <mxGeometry x="-0.1667" relative="1" as="geometry">
+ <mxPoint y="-20" as="offset" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="3Z0NyFf9CSu-jNyiQ6yW-1" value="Is IPDOnly" style="rhombus;html=1;shadow=1;fontFamily=Helvetica;fontSize=16;align=center;strokeWidth=1;spacing=5;spacingTop=2;whiteSpace=wrap;labelBackgroundColor=none;labelBorderColor=none;textShadow=0;spacingRight=5;spacingBottom=2;spacingLeft=5;fontStyle=0" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
+ <mxGeometry x="-340" y="390" width="100" height="80" as="geometry" />
+ </mxCell>
+ <mxCell id="3Z0NyFf9CSu-jNyiQ6yW-2" value="<span>Protocol Detection Only</span>" style="rounded=1;html=1;fontSize=16;glass=0;strokeWidth=1;shadow=1;whiteSpace=wrap;labelBackgroundColor=none;labelBorderColor=none;textShadow=0;spacingRight=5;spacingBottom=2;spacingLeft=5;spacingTop=2;spacing=5;fontStyle=0" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
+ <mxGeometry x="-370" y="535" width="160" height="65" as="geometry" />
+ </mxCell>
+ <mxCell id="3Z0NyFf9CSu-jNyiQ6yW-10" value="<div><span>Like IP Only</span><br>(has negated address(es))<br></div>" style="rounded=1;html=1;fontSize=16;glass=0;strokeWidth=1;shadow=1;whiteSpace=wrap;labelBackgroundColor=none;labelBorderColor=none;textShadow=0;spacingRight=5;spacingBottom=2;spacingLeft=5;spacingTop=2;spacing=5;fontStyle=0" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
+ <mxGeometry x="183.5" y="260" width="151" height="70" as="geometry" />
+ </mxCell>
+ <mxCell id="2s8PCpyst4B-AYq6nZVi-3" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=blockThin;endFill=1;fontSize=16;labelBackgroundColor=none;labelBorderColor=none;textShadow=0;shadow=1;fontStyle=0" parent="WIyWlLk6GJQsqaUBKTNV-1" source="2s8PCpyst4B-AYq6nZVi-2" target="3Z0NyFf9CSu-jNyiQ6yW-10" edge="1">
+ <mxGeometry relative="1" as="geometry">
+ <Array as="points" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="2s8PCpyst4B-AYq6nZVi-4" value="<div>Yes<br></div>" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=16;labelBackgroundColor=none;labelBorderColor=none;textShadow=0;shadow=1;spacingRight=5;spacingBottom=2;spacingLeft=5;spacingTop=2;spacing=5;fontStyle=0" parent="2s8PCpyst4B-AYq6nZVi-3" vertex="1" connectable="0">
+ <mxGeometry x="-0.4" relative="1" as="geometry">
+ <mxPoint y="-20" as="offset" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="2s8PCpyst4B-AYq6nZVi-2" value="<div>Contains</div><div>Negated</div><div>Address?</div>" style="rhombus;html=1;fontSize=16;whiteSpace=wrap;labelBackgroundColor=none;labelBorderColor=none;textShadow=0;shadow=1;spacingRight=5;spacingBottom=2;spacingLeft=5;spacingTop=2;spacing=5;fontStyle=0" parent="WIyWlLk6GJQsqaUBKTNV-1" vertex="1">
+ <mxGeometry x="-190" y="240" width="140" height="110" as="geometry" />
+ </mxCell>
+ <mxCell id="YKtqplUdx_BT4Hee0G-G-1" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=blockThin;endFill=1;fontSize=16;shadow=1;fontStyle=0" edge="1" parent="WIyWlLk6GJQsqaUBKTNV-1" source="YKtqplUdx_BT4Hee0G-G-0" target="3Z0NyFf9CSu-jNyiQ6yW-1">
+ <mxGeometry relative="1" as="geometry" />
+ </mxCell>
+ <mxCell id="YKtqplUdx_BT4Hee0G-G-0" value="Signature" style="shape=parallelogram;html=1;strokeWidth=1;perimeter=parallelogramPerimeter;whiteSpace=wrap;rounded=1;arcSize=12;size=0.23;fontSize=16;shadow=1;fontStyle=0" vertex="1" parent="WIyWlLk6GJQsqaUBKTNV-1">
+ <mxGeometry x="-345" y="230" width="110" height="60" as="geometry" />
+ </mxCell>
+ </root>
+ </mxGraphModel>
+ </diagram>
+</mxfile>
--- /dev/null
+<mxfile host="app.diagrams.net" agent="Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:134.0) Gecko/20100101 Firefox/134.0" version="26.0.5">
+ <diagram name="Page-1" id="Huy6zuTNKuhlR82RVxZD">
+ <mxGraphModel dx="1434" dy="792" grid="1" gridSize="10" guides="1" tooltips="1" connect="1" arrows="1" fold="1" page="1" pageScale="1" pageWidth="850" pageHeight="1100" math="0" shadow="0">
+ <root>
+ <mxCell id="0" />
+ <mxCell id="1" parent="0" />
+ <mxCell id="SssYP0pVQeMwz5sfJHV3-4" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;fontSize=15;endArrow=blockThin;endFill=1;" parent="1" source="SssYP0pVQeMwz5sfJHV3-7" target="SssYP0pVQeMwz5sfJHV3-8" edge="1">
+ <mxGeometry relative="1" as="geometry" />
+ </mxCell>
+ <mxCell id="SssYP0pVQeMwz5sfJHV3-5" value="Yes" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=15;" parent="SssYP0pVQeMwz5sfJHV3-4" vertex="1" connectable="0">
+ <mxGeometry x="0.511" y="1" relative="1" as="geometry">
+ <mxPoint x="-46" y="-11" as="offset" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="SssYP0pVQeMwz5sfJHV3-6" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;fontSize=15;endArrow=blockThin;endFill=1;" parent="1" source="SssYP0pVQeMwz5sfJHV3-7" target="SssYP0pVQeMwz5sfJHV3-10" edge="1">
+ <mxGeometry relative="1" as="geometry">
+ <mxPoint x="345" y="600" as="targetPoint" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="a3aPwti0dP9LQcNFLp-g-1" value="No" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=15;" parent="SssYP0pVQeMwz5sfJHV3-6" vertex="1" connectable="0">
+ <mxGeometry x="-0.333" relative="1" as="geometry">
+ <mxPoint x="13" y="1" as="offset" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="SssYP0pVQeMwz5sfJHV3-7" value="<div>ALPROTO</div><div>UNKNOWN?</div>" style="rhombus;whiteSpace=wrap;html=1;fontSize=15;" parent="1" vertex="1">
+ <mxGeometry x="201.88" y="440" width="148.75" height="120" as="geometry" />
+ </mxCell>
+ <mxCell id="SssYP0pVQeMwz5sfJHV3-8" value="Not PD_ONLY" style="whiteSpace=wrap;html=1;aspect=fixed;rotation=0;rounded=1;shadow=1;fontSize=15;" parent="1" vertex="1">
+ <mxGeometry x="473.13000000000005" y="467.13" width="121.82" height="67" as="geometry" />
+ </mxCell>
+ <mxCell id="SssYP0pVQeMwz5sfJHV3-9" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;fontSize=15;endArrow=blockThin;endFill=1;" parent="1" source="SssYP0pVQeMwz5sfJHV3-10" target="SssYP0pVQeMwz5sfJHV3-19" edge="1">
+ <mxGeometry relative="1" as="geometry">
+ <mxPoint x="277.25" y="960" as="targetPoint" />
+ <mxPoint x="277.29999999999995" y="819.9744360902255" as="sourcePoint" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="a3aPwti0dP9LQcNFLp-g-2" value="No" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=15;" parent="SssYP0pVQeMwz5sfJHV3-9" vertex="1" connectable="0">
+ <mxGeometry x="-0.5283" y="1" relative="1" as="geometry">
+ <mxPoint x="12" y="7" as="offset" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="SssYP0pVQeMwz5sfJHV3-10" value="<div>Payload<br>and/or<br>Stream match list?</div><div><br></div>" style="rhombus;whiteSpace=wrap;html=1;fontSize=15;" parent="1" vertex="1">
+ <mxGeometry x="176.26" y="612" width="200" height="130" as="geometry" />
+ </mxCell>
+ <mxCell id="SssYP0pVQeMwz5sfJHV3-11" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;fontSize=15;endArrow=blockThin;endFill=1;" parent="1" source="SssYP0pVQeMwz5sfJHV3-10" target="mP8Eb71_Q6LACfifqw_b-11" edge="1">
+ <mxGeometry relative="1" as="geometry" />
+ </mxCell>
+ <mxCell id="SssYP0pVQeMwz5sfJHV3-12" value="Yes" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=15;" parent="SssYP0pVQeMwz5sfJHV3-11" vertex="1" connectable="0">
+ <mxGeometry x="-0.3513" y="1" relative="1" as="geometry">
+ <mxPoint x="6" y="-11" as="offset" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="SssYP0pVQeMwz5sfJHV3-17" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=1;exitY=0.5;exitDx=0;exitDy=0;fontSize=15;endArrow=blockThin;endFill=1;" parent="1" source="SssYP0pVQeMwz5sfJHV3-19" target="mP8Eb71_Q6LACfifqw_b-3" edge="1">
+ <mxGeometry relative="1" as="geometry">
+ <mxPoint x="701.8000000000002" y="698.04" as="targetPoint" />
+ <mxPoint x="310" y="1112" as="sourcePoint" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="SssYP0pVQeMwz5sfJHV3-33" value="<div>Yes</div>" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=15;" parent="SssYP0pVQeMwz5sfJHV3-17" vertex="1" connectable="0">
+ <mxGeometry x="-0.6597" y="-3" relative="1" as="geometry">
+ <mxPoint x="36" y="-17" as="offset" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="SssYP0pVQeMwz5sfJHV3-19" value="Buffer inspection?" style="rhombus;whiteSpace=wrap;html=1;fontSize=15;" parent="1" vertex="1">
+ <mxGeometry x="192.25" y="802" width="168" height="80" as="geometry" />
+ </mxCell>
+ <mxCell id="SssYP0pVQeMwz5sfJHV3-35" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;fontSize=15;endArrow=blockThin;endFill=1;" parent="1" source="SssYP0pVQeMwz5sfJHV3-22" target="SssYP0pVQeMwz5sfJHV3-34" edge="1">
+ <mxGeometry relative="1" as="geometry">
+ <mxPoint x="276.29999999999995" y="1024.9749646239252" as="sourcePoint" />
+ <mxPoint x="276.29999999999995" y="1136.01" as="targetPoint" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="a3aPwti0dP9LQcNFLp-g-12" value="Yes" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=15;" parent="SssYP0pVQeMwz5sfJHV3-35" vertex="1" connectable="0">
+ <mxGeometry x="0.0619" y="3" relative="1" as="geometry">
+ <mxPoint x="14" y="-9" as="offset" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="mP8Eb71_Q6LACfifqw_b-10" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;fontSize=15;endArrow=blockThin;endFill=1;" parent="1" source="SssYP0pVQeMwz5sfJHV3-22" target="a3aPwti0dP9LQcNFLp-g-5" edge="1">
+ <mxGeometry relative="1" as="geometry">
+ <mxPoint x="557" y="991" as="targetPoint" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="a3aPwti0dP9LQcNFLp-g-9" value="<font>No</font>" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=15;" parent="mP8Eb71_Q6LACfifqw_b-10" vertex="1" connectable="0">
+ <mxGeometry x="-0.4399" y="3" relative="1" as="geometry">
+ <mxPoint x="15" y="-9" as="offset" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="SssYP0pVQeMwz5sfJHV3-22" value="<div>non-payload</div><div>per-packet</div><div>matches?</div>" style="rhombus;whiteSpace=wrap;html=1;fontSize=15;" parent="1" vertex="1">
+ <mxGeometry x="184.39" y="934" width="183.74" height="115" as="geometry" />
+ </mxCell>
+ <mxCell id="SssYP0pVQeMwz5sfJHV3-29" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;fontSize=15;endArrow=blockThin;endFill=1;" parent="1" source="SssYP0pVQeMwz5sfJHV3-30" target="SssYP0pVQeMwz5sfJHV3-32" edge="1">
+ <mxGeometry relative="1" as="geometry">
+ <mxPoint x="275" y="1786" as="sourcePoint" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="WFfWZLXEymwSXmm__kdr-14" value="Yes" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=15;" parent="SssYP0pVQeMwz5sfJHV3-29" vertex="1" connectable="0">
+ <mxGeometry x="-0.5874" y="-4" relative="1" as="geometry">
+ <mxPoint x="20" y="16" as="offset" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="SssYP0pVQeMwz5sfJHV3-30" value="<div>Has keyword</div><div>app-layer-protocol?</div>" style="rhombus;whiteSpace=wrap;html=1;fontSize=15;" parent="1" vertex="1">
+ <mxGeometry x="150.25" y="1596" width="249.5" height="112" as="geometry" />
+ </mxCell>
+ <mxCell id="SssYP0pVQeMwz5sfJHV3-32" value="<div>Protocol Detection Only<br></div>" style="whiteSpace=wrap;html=1;fillColor=#d5e8d4;strokeColor=#000000;rounded=1;shadow=1;fontSize=15;imageAspect=1;" parent="1" vertex="1">
+ <mxGeometry x="214.5" y="1758" width="121" height="67" as="geometry" />
+ </mxCell>
+ <mxCell id="SssYP0pVQeMwz5sfJHV3-36" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;entryX=0.5;entryY=0;entryDx=0;entryDy=0;fontSize=15;endArrow=blockThin;endFill=1;" parent="1" source="SssYP0pVQeMwz5sfJHV3-34" target="SssYP0pVQeMwz5sfJHV3-39" edge="1">
+ <mxGeometry relative="1" as="geometry">
+ <mxPoint x="170" y="1599" as="targetPoint" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="a3aPwti0dP9LQcNFLp-g-16" value="No" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=15;" parent="SssYP0pVQeMwz5sfJHV3-36" vertex="1" connectable="0">
+ <mxGeometry x="-0.2574" y="-1" relative="1" as="geometry">
+ <mxPoint x="15" as="offset" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="SssYP0pVQeMwz5sfJHV3-37" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;fontSize=15;endArrow=blockThin;endFill=1;" parent="1" source="SssYP0pVQeMwz5sfJHV3-34" target="a3aPwti0dP9LQcNFLp-g-4" edge="1">
+ <mxGeometry relative="1" as="geometry">
+ <mxPoint x="726.26" y="1164" as="targetPoint" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="SssYP0pVQeMwz5sfJHV3-38" value="Yes" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=15;" parent="SssYP0pVQeMwz5sfJHV3-37" vertex="1" connectable="0">
+ <mxGeometry x="-0.3341" y="2" relative="1" as="geometry">
+ <mxPoint x="9" y="-10" as="offset" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="SssYP0pVQeMwz5sfJHV3-34" value="Flowbits<br>AND NOT<br>flowbits:set" style="rhombus;whiteSpace=wrap;html=1;fontSize=15;" parent="1" vertex="1">
+ <mxGeometry x="184.39000000000001" y="1084" width="181.87" height="110" as="geometry" />
+ </mxCell>
+ <mxCell id="SssYP0pVQeMwz5sfJHV3-42" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;fontSize=15;endArrow=blockThin;endFill=1;" parent="1" source="SssYP0pVQeMwz5sfJHV3-39" target="SssYP0pVQeMwz5sfJHV3-43" edge="1">
+ <mxGeometry relative="1" as="geometry">
+ <mxPoint x="182.5" y="1831" as="targetPoint" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="a3aPwti0dP9LQcNFLp-g-15" value="No" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=15;" parent="SssYP0pVQeMwz5sfJHV3-42" vertex="1" connectable="0">
+ <mxGeometry x="-0.05" y="4" relative="1" as="geometry">
+ <mxPoint x="10" y="-6" as="offset" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="WFfWZLXEymwSXmm__kdr-16" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;fontSize=15;endArrow=blockThin;endFill=1;" parent="1" source="SssYP0pVQeMwz5sfJHV3-39" target="a3aPwti0dP9LQcNFLp-g-3" edge="1">
+ <mxGeometry relative="1" as="geometry">
+ <mxPoint x="710" y="1546" as="targetPoint" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="WFfWZLXEymwSXmm__kdr-17" value="Yes" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=15;" parent="WFfWZLXEymwSXmm__kdr-16" vertex="1" connectable="0">
+ <mxGeometry x="-0.7803" y="-4" relative="1" as="geometry">
+ <mxPoint x="22" y="-17" as="offset" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="SssYP0pVQeMwz5sfJHV3-39" value="Flow setting<br>AND NOT<br><div>TOSERVER</div><div>or TOCLIENT</div>" style="rhombus;whiteSpace=wrap;html=1;fontSize=15;" parent="1" vertex="1">
+ <mxGeometry x="164.24" y="1246" width="222.17" height="140" as="geometry" />
+ </mxCell>
+ <mxCell id="SssYP0pVQeMwz5sfJHV3-47" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;fontSize=15;endArrow=blockThin;endFill=1;" parent="1" source="SssYP0pVQeMwz5sfJHV3-43" target="SssYP0pVQeMwz5sfJHV3-30" edge="1">
+ <mxGeometry relative="1" as="geometry" />
+ </mxCell>
+ <mxCell id="a3aPwti0dP9LQcNFLp-g-17" value="Yes" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=15;" parent="SssYP0pVQeMwz5sfJHV3-47" vertex="1" connectable="0">
+ <mxGeometry x="-0.2443" y="2" relative="1" as="geometry">
+ <mxPoint x="13" as="offset" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="mP8Eb71_Q6LACfifqw_b-9" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;fontSize=15;endArrow=blockThin;endFill=1;" parent="1" source="SssYP0pVQeMwz5sfJHV3-43" target="a3aPwti0dP9LQcNFLp-g-7" edge="1">
+ <mxGeometry relative="1" as="geometry">
+ <mxPoint x="730" y="1710" as="targetPoint" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="a3aPwti0dP9LQcNFLp-g-14" value="No" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=15;" parent="mP8Eb71_Q6LACfifqw_b-9" vertex="1" connectable="0">
+ <mxGeometry x="-0.1489" y="-1" relative="1" as="geometry">
+ <mxPoint x="-13" y="-14" as="offset" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="SssYP0pVQeMwz5sfJHV3-43" value="<div>Match</div><div>IP_Only compatible?</div>" style="rhombus;whiteSpace=wrap;html=1;fontSize=15;" parent="1" vertex="1">
+ <mxGeometry x="160.17000000000002" y="1436.5" width="229.67" height="103" as="geometry" />
+ </mxCell>
+ <mxCell id="WFfWZLXEymwSXmm__kdr-3" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;fontSize=15;endArrow=blockThin;endFill=1;" parent="1" source="SssYP0pVQeMwz5sfJHV3-19" target="SssYP0pVQeMwz5sfJHV3-22" edge="1">
+ <mxGeometry relative="1" as="geometry">
+ <mxPoint x="300" y="900" as="sourcePoint" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="a3aPwti0dP9LQcNFLp-g-10" value="No" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=15;" parent="WFfWZLXEymwSXmm__kdr-3" vertex="1" connectable="0">
+ <mxGeometry x="-0.4227" y="3" relative="1" as="geometry">
+ <mxPoint x="11" as="offset" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="WFfWZLXEymwSXmm__kdr-18" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;fontSize=15;endArrow=blockThin;endFill=1;" parent="1" source="SssYP0pVQeMwz5sfJHV3-30" target="a3aPwti0dP9LQcNFLp-g-8" edge="1">
+ <mxGeometry relative="1" as="geometry">
+ <mxPoint x="459.5" y="1691" as="sourcePoint" />
+ <mxPoint x="735" y="1691" as="targetPoint" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="WFfWZLXEymwSXmm__kdr-19" value="No" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=15;" parent="WFfWZLXEymwSXmm__kdr-18" vertex="1" connectable="0">
+ <mxGeometry x="-0.7573" y="-5" relative="1" as="geometry">
+ <mxPoint x="16" y="-19" as="offset" />
+ </mxGeometry>
+ </mxCell>
+ <mxCell id="mP8Eb71_Q6LACfifqw_b-2" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;entryX=0.5;entryY=0;entryDx=0;entryDy=0;endArrow=blockThin;endFill=1;fontSize=15;" parent="1" source="mP8Eb71_Q6LACfifqw_b-1" target="SssYP0pVQeMwz5sfJHV3-7" edge="1">
+ <mxGeometry relative="1" as="geometry" />
+ </mxCell>
+ <mxCell id="mP8Eb71_Q6LACfifqw_b-1" value="Signature" style="shape=parallelogram;perimeter=parallelogramPerimeter;whiteSpace=wrap;html=1;fixedSize=1;rounded=1;fontSize=15;" parent="1" vertex="1">
+ <mxGeometry x="365" y="350" width="120" height="60" as="geometry" />
+ </mxCell>
+ <mxCell id="mP8Eb71_Q6LACfifqw_b-3" value="Not PD_ONLY" style="whiteSpace=wrap;html=1;aspect=fixed;rotation=0;rounded=1;shadow=1;fontSize=15;" parent="1" vertex="1">
+ <mxGeometry x="472" y="808.5" width="121.82" height="67" as="geometry" />
+ </mxCell>
+ <mxCell id="mP8Eb71_Q6LACfifqw_b-11" value="Not PD_ONLY" style="whiteSpace=wrap;html=1;aspect=fixed;rotation=0;rounded=1;shadow=1;fontSize=15;" parent="1" vertex="1">
+ <mxGeometry x="469.27" y="643.5" width="121.82" height="67" as="geometry" />
+ </mxCell>
+ <mxCell id="a3aPwti0dP9LQcNFLp-g-3" value="Not PD_ONLY" style="whiteSpace=wrap;html=1;aspect=fixed;rotation=0;rounded=1;shadow=1;fontSize=15;" parent="1" vertex="1">
+ <mxGeometry x="472" y="1282.5" width="121.82" height="67" as="geometry" />
+ </mxCell>
+ <mxCell id="a3aPwti0dP9LQcNFLp-g-4" value="Not PD_ONLY" style="whiteSpace=wrap;html=1;aspect=fixed;rotation=0;rounded=1;shadow=1;fontSize=15;" parent="1" vertex="1">
+ <mxGeometry x="472" y="1105.5" width="121.82" height="67" as="geometry" />
+ </mxCell>
+ <mxCell id="a3aPwti0dP9LQcNFLp-g-5" value="Not PD_ONLY" style="whiteSpace=wrap;html=1;aspect=fixed;rotation=0;rounded=1;shadow=1;fontSize=15;" parent="1" vertex="1">
+ <mxGeometry x="472" y="957.5" width="121.82" height="67" as="geometry" />
+ </mxCell>
+ <mxCell id="a3aPwti0dP9LQcNFLp-g-7" value="Not PD_ONLY" style="whiteSpace=wrap;html=1;aspect=fixed;rotation=0;rounded=1;shadow=1;fontSize=15;" parent="1" vertex="1">
+ <mxGeometry x="472" y="1454.5" width="121.82" height="67" as="geometry" />
+ </mxCell>
+ <mxCell id="a3aPwti0dP9LQcNFLp-g-8" value="Not PD_ONLY" style="whiteSpace=wrap;html=1;aspect=fixed;rotation=0;rounded=1;shadow=1;fontSize=15;" parent="1" vertex="1">
+ <mxGeometry x="469.27" y="1618.5" width="121.82" height="67" as="geometry" />
+ </mxCell>
+ </root>
+ </mxGraphModel>
+ </diagram>
+</mxfile>
static DetectEngineFrameInspectionEngine *g_frame_inspect_engines = NULL;
// clang-format off
+// rule types documentation tag start: SignatureProperties
const struct SignatureProperties signature_properties[SIG_TYPE_MAX] = {
/* SIG_TYPE_NOT_SET */ { SIG_PROP_FLOW_ACTION_PACKET, },
/* SIG_TYPE_IPONLY */ { SIG_PROP_FLOW_ACTION_FLOW, },
/* SIG_TYPE_APPLAYER */ { SIG_PROP_FLOW_ACTION_FLOW, },
/* SIG_TYPE_APP_TX */ { SIG_PROP_FLOW_ACTION_FLOW, },
};
+// rule types documentation tag end: SignatureProperties
// clang-format on
/** \brief register inspect engine at start up time
/* Forward declarations for structures from Rust. */
typedef struct SCDetectRequiresStatus SCDetectRequiresStatus;
+// rule types documentation tag start: SignatureType
enum SignatureType {
SIG_TYPE_NOT_SET = 0,
SIG_TYPE_IPONLY, // rule is handled by IPONLY engine
SIG_TYPE_MAX,
};
+// rule types documentation tag end: SignatureType
enum SignaturePropertyFlowAction {
SIG_PROP_FLOW_ACTION_PACKET,
projects / thirdparty / suricata.git / commitdiff
