next up previous contents
Next: General Format Up: Non-Payload Detection Rule Options Previous: Examples   Contents


The flowbits keyword is used in conjunction with conversation tracking from the Stream preprocessor (see Section2.2.2). It allows rules to track states during a transport protocol session. The flowbits option is most useful for TCP sessions, as it allows rules to generically track the state of an application protocol.

There are several keywords associated with flowbits. Most of the options need a user-defined name for the specific state that is being checked. Some keyword uses group name. When no group name is specified the flowbits will belong to a default group. A particular flowbit can belong to more than one group. Flowbit name and group name should be limited to any alphanumeric string including periods, dashes, and underscores.


Eugene Misnik 2013-05-08