Actions
Feature #1867
closedSnort compatibility: flow:not_established not supported.
Description
Suricata does not support the "not_established" argument to the "flow" keyword which is used in some Snort rules.
Actions
Added by Jason Ish about 9 years ago. Updated about 9 years ago.
Description
Suricata does not support the "not_established" argument to the "flow" keyword which is used in some Snort rules.
While at it, add Snort's no_frags and only_frags as well. This is a trivial check: p->flags & PKT_IS_FRAGMENT.
Victor Julien wrote:
While at it, add Snort's no_frags and only_frags as well. This is a trivial check: p->flags & PKT_IS_FRAGMENT.
I think its a little different than that. It looks like no_frag and only_frag refer to the rebuilt packets. If "no_frag", then do not trigger on reassembled packets. If only_frag, then only trigger on re-assembled packets.