Suricata

It would be nice if Suricata has a rule keyword for disregarding "midstream" flows, this especially makes sense for some really specific rules that:

• need to ensure the direction of the flow is correct
• need to ensure that the stream_sizes of the flow is correct

This breaks when midstream flows are created (eg, during long sessions or traffic with heavy packet loss) and make these rules generate more false positives, as it can:

• guess the direction of the flow incorrectly
• stream_size is reset at midstream.

So it would be nice when creating such rules to have a flow keyword to match explicitly on non midstream traffic, for example:

• flow:no_midstream
• flow:only_midstream

Example with multiple flow keywords:

flow:established,to_server,no_midstream