flow

flow

Use the flow keyword to specify the direction of the detection packet. It can only appear once in a signature and is used in pattern and dissector signatures. It can be applied to TCP and UDP sessions. It accepts one of the following direction values:

<direction>	Description
`from_client`	Matches packets sent from the client to the server.
`from_server`	Matches packets sent from the server to the client.
`bi_direction`	Matches packets sent from the client to the server and from the server to the client.
`reversed`	Specifies that the attack is in the opposite direction from the detected packet. A typical case is when a brute force login is detected by matching a server packet indicating that a login has failed. This keyword will not affect detection. Its purpose is to tell the GUI to display the correct location for the vulnerability (client or server).

Syntax:

--flow <direction>;

Examples:

--flow from_client;

--flow bi_direction; dst_port 123;      //match if source or destination port is 123.

flow

Description

from_client

Matches packets sent from the client to the server.

from_server

Matches packets sent from the server to the client.

bi_direction

Matches packets sent from the client to the server and from the server to the client.

reversed

Specifies that the attack is in the opposite direction from the detected packet. A typical case is when a brute force login is detected by matching a server packet indicating that a login has failed. This keyword will not affect detection. Its purpose is to tell the GUI to display the correct location for the vulnerability (client or server).

Syntax:

--flow <direction>;

Examples:

--flow from_client;

--flow bi_direction; dst_port 123; //match if source or destination port is 123.

Custom IPS and Application Control Signature Syntax Guide

flow

Syntax:

Examples:

flow

Syntax:

Examples: