I am currently going through the Suricata documentation and I am a bit puzzled by the explanation provided for the stateless flow option, see here. It says:
Match on packets that are and are not part of an established connection.
I understand that established / not_established means different things depending on the used protocol (TCP/UDP), but how can a packet be part of an established and not_established connection at the same time? E.g. how can a packet be part of the connection before and after the handshake? A short explanation would be very much appreciated.
Suricata documentation still has some flaws and I believe this might be the case.
They probably meant to write OR instead of AND so that the packet connection state does not matter for the rule. Take my answer please with a pinch of salt.
That makes more sense, yes. But if that is the case, then I am asking myself what this keyword even does. If the connection state should not matter, then what would be the difference to a rule without this keyword? I would think the rule would not care about the connection state then either.