flow
The flow
keyword is used to specify the direction of the detection packet. It can only appear once in a signature and is used in pattern and dissector signatures. It can be applied to TCP and UDP sessions. It accepts one of the following direction values:
<direction> |
Description |
---|---|
from_client |
Matches packets sent from the client to the server. |
from_server |
Matches packets sent from the server to the client. |
bi_direction |
Matches packets sent from the client to the server and from the server to the client. |
reversed |
Specifies that the attack is in the opposite direction from the detected packet. A typical case is when a brute force login is detected by matching a server packet indicating that a login has failed. This keyword will not affect detection. Its purpose is to tell the GUI to display the correct location for the vulnerability (client or server). |
Syntax:
--flow <direction>;
Examples:
--flow from_client; --flow bi_direction; dst_port 123; //match if source or destination port is 123