Pseries Installation Guide
120 Appendix B
flow This keyword applies the rule to a specific traffic flow
direction.
The flow can be in one of two states:
• established: Trigger only on established TCP
connections.
• stateless: Trigger regardless of the state of the
stream processor.
The direction parameter has the following options:
• to_client: Trigger on server responses from A to B.
• to_server: Trigger on client requests from A to B.
• from_client: Trigger on client requests from A to B.
• from_server: Trigger on server responses from A to
B.
• no_stream: Do not trigger on rebuilt stream packets.
• only_stream: Only trigger on rebuilt stream packets.
flow: [established|stateless] [,
direction];
icmp_id This keyword checks for a specific ICMP ID value. icmp id:number;
icmp_seq This keyword checks for a specific ICMP sequence value. icmp seq: number;
icode This keyword checks for a specific ICMP code value. icode: [>|<] number [{>|<} number];
id This keyword checks the IP ID field for the specified
value.
id:number;
ip_proto This keyword inspects the IP protocol header. ip_proto: [!|>|<] {name |number};
itype This keyword checks for the specified ICMP type value. itype:[>|<] number [{>
|<} number];
nocase This keyword matches strings without regard for
capitalization. This keyword modifies the content
keyword.
nocase;
protocol Enter the protocol. {ICMP | UDP | TCP | IP}
seq This keyword checks for the specified TCP sequence
number.
seq:number;
source
address
Enter the address from which traffic is arriving. The A.B.C.D/{subnet_mask}
destination
address
Enter the address to which traffic is destined. A.B.C.D/{subnet_mask}
souce port Enter the port from which traffic is arriving. port_number
destination
port
Enter the port to which traffic is destined. port_number
tos This keyword checks for the specified ToS value. tos: [!] number;
Table 28 Description of P-Series Snort Keywords
Keyword Description Rule Syntax