Hi Philippe,
I have tried flow.packtes_toclient before i noticed that it is only implemented in V 8.0.0.
But that would only work for the number of packets rule specifically, another example i would like to implement would be “In every flow a minimum of X ack flags is set”.
I could probably count ack flags in a flowint and then compare once i find a fin/ack, but what if an attacker does not send fin/ack?
Being checking flowints when terminating through, timeout, fin->fin/ack, etc. (does rst count?) is the only thing i can think of that works in every case.
Thank you very much for helping 
-T0llsk1