From: Juliana Fajardini Date: Mon, 29 Jul 2024 19:55:30 +0000 (-0300) Subject: userguide: clarify flow:stateless explanation X-Git-Tag: suricata-8.0.0-beta1~953 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=246acc714071c96f81028b55dcedd753479dbcb6;p=thirdparty%2Fsuricata.git userguide: clarify flow:stateless explanation While not incorrect, the previous wording made the sentence almost paradoxical. While at it, also highlight a side effect that might not be so clear to users. Related to Bug #6976 --- diff --git a/doc/userguide/rules/flow-keywords.rst b/doc/userguide/rules/flow-keywords.rst index fff833a8ba..0080135230 100644 --- a/doc/userguide/rules/flow-keywords.rst +++ b/doc/userguide/rules/flow-keywords.rst @@ -90,7 +90,8 @@ established not_established Match on packets that are not part of an established connection. stateless - Match on packets that are and are not part of an established connection. + Match on packets that are part of a flow, regardless of connection state. + (This means that packets that are not seen as part of a flow won't match). only_stream Match on packets that have been reassembled by the stream engine. no_stream @@ -403,4 +404,4 @@ The number of packets can be matched exactly, or compared using the _op_ setting Signature example:: - alert ip any any -> any any (msg:"Flow has less than 2000 bytes"; flow.bytes_toserver:<2000; sid:1;) \ No newline at end of file + alert ip any any -> any any (msg:"Flow has less than 2000 bytes"; flow.bytes_toserver:<2000; sid:1;)