Unknown rule keyword 'flow.pkts_toclient'

Giovanni_B · February 6, 2024, 11:36am

Hello,

I’m runnning Suricata 7.0.2 on ubuntu and I’m having problems with this suricata rule :

drop ip any any -> any any (msg:" alert "; flow.pkts_toclient:0; sid:100130; rev:1; flow:to_server; flowbits:set,ip_blocked; flowbits:isnotset,ip_blocked;)

I’m getting this error: unknown rule keyword 'flow.pkts_toclient'

It is strange since this keyword can be found in the official docs for Suricata 7.0.2, which is the version I am running.

any ideas?

Thanks

Andreas_Herz · February 6, 2024, 11:44am

This is not part of 7.0.2 see 8.11. Flow Keywords — Suricata 7.0.2 documentation this got introduced in current master, see Feature #6164: detect: new keyword flow.pkts_toclient to server and bytes as well - Suricata - Open Information Security Foundation so it will be in 8.0

Giovanni_B · February 6, 2024, 3:37pm

That makes sense, thank you!

Topic		Replies	Views
Difference in rule action when using "!" in destination IP field Help	2	184	November 15, 2023
Strange behavior with pass and drop rule Help	14	1296	July 9, 2021
Most simple rule with "content" keyword doesn't work Rules rules , suricata	0	79	May 15, 2024
Suricata rules about network scan Rules rules	2	804	January 18, 2023
Missing 1 piece of the puzzle Help ips	2	1532	February 5, 2021

Unknown rule keyword 'flow.pkts_toclient'

Related Topics