Project

General

Profile

Actions
Copy link

Support #1428

closed

Flow-keywords clarification

Added by god lol over 9 years ago. Updated over 9 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Affected Versions:
Label:

Description

The https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Flow-keywords page gives pretty nice but very brief intro into topic. The most confusing part is the mutually-exclusive to_server, from_server, to_client, from_client set of keywords. What is the difference between to_client and from_server? What about from_client and to_server?

If it's the same thing than why 2 different names? If it's not than more elaborate write-up and some examples of when from_client would match but to_server wouldn't and vice-versa would be of great help for writing rules for Suricata.

If it's already cleared up in some article than at least link to it should be included into abovementioned wiki page.

Actions
Copy link
 #1

Updated by Victor Julien over 9 years ago

from_server and to_client are the same, and so are to_server and from_client. This comes from the original Snort language and we support it for compatibility reasons.

Actions
Copy link
 #2

Updated by god lol over 9 years ago

Thanks for explanation, I think It's worth clarifying that explicitly on the wiki for people without snort background.

Actions
Copy link
 #3

Updated by Peter Manev over 9 years ago

  • Status changed from New to Closed

Wiki - Updated

Actions
Copy link

Also available in: Atom PDF