Can anyone clarify the relation between bytes_toserver and the stream_size alert keyword? I am hoping to be able to identify all sorts of egress traffic (shells!) that exceed a certain threshold.
Is stream_size something that could be significantly lower than bytes_toserver / toclient because of some difference in the code logic?