Unknown rule keyword 'flow.pkts_toclient'

Giovanni_B · February 6, 2024, 11:36am

Hello,

I’m runnning Suricata 7.0.2 on ubuntu and I’m having problems with this suricata rule :

drop ip any any -> any any (msg:" alert "; flow.pkts_toclient:0; sid:100130; rev:1; flow:to_server; flowbits:set,ip_blocked; flowbits:isnotset,ip_blocked;)

I’m getting this error: unknown rule keyword 'flow.pkts_toclient'

It is strange since this keyword can be found in the official docs for Suricata 7.0.2, which is the version I am running.

any ideas?

Thanks

Andreas_Herz · February 6, 2024, 11:44am

This is not part of 7.0.2 see 8.11. Flow Keywords — Suricata 7.0.2 documentation this got introduced in current master, see Feature #6164: detect: new keyword flow.pkts_toclient to server and bytes as well - Suricata - Open Information Security Foundation so it will be in 8.0

Giovanni_B · February 6, 2024, 3:37pm

That makes sense, thank you!

Topic		Replies	Views
Unknown rule keyword 'flow.bytes_toserver' Help community , rules	3	188	May 2, 2024
Difference in rule action when using "!" in destination IP field Help	2	188	November 15, 2023
Strange behavior with pass and drop rule Help	14	1332	July 9, 2021
Suricata flow keyword causing cpu/mem overload Help	3	513	January 17, 2023
Help Needed ! Suricata drops - ,"metadata":{"flowints":{"http.anomaly.count":1}}, Rules ips , rules	5	276	October 7, 2023

Unknown rule keyword 'flow.pkts_toclient'

Related topics