Feature #7481
Updated by Victor Julien 12 days ago
Allow setting the scope of the applied action (packet or flow currently) explicitly in the rule.
Suggesting a syntax:
<pre>
(drop|pass)[:(packet|flow)]
pass:flow tls any any -> any any (tls.sni; content:"suricata.io"; ... )
</pre>