Syntax Rules of flow
The **flow** field can be used to specify the detection direction and scope. Modifiers of **flow** are separated using a comma (<font color=red>**,**</font>), and a semicolon (<font color=red>**;**</font>) is used as the terminator of the whole field. Only one **flow** field can be specified for each rule. Example: <font color=red>` flow: from_server, session;`</font>: indicating that the response traffic from the server is detected and the detection scope is session. ####Modifiers Supported by flow Modifiers supported by the **flow** syntax | Keyword | Field Description | | --------------------- | ---------------------------------------- | | from\_client/to_server | Detects the request traffic from the client. | | from\_server/to_client | Detects the response traffic from the server. | | established | Detects the established session. | | session | The detection mode is the session mode and the detection scope is an entire session. | | message | The detection mode is the message mode and the detection scope is a single message. | | packet | The detection mode is the single-packet mode and the detection scope is a single packet. | #### Description of the Detection Scope The detection scope of **flow** has three options: session, message, and packet. Only one option can be specified in a rule. - **session**: The detection scope is an entire session. **The default mode is session.** - **message**: The detection scope is a single message. - **packet**: The detection scope is a single packet. Example: > GET /page1.html HTTP/1.1 > Host: www.test.com > > > > HTTP/1.1 200 OK > > > > GET /news/page2.html HTTP/1.1 > Host: www.test.com > > > > HTTP/1.1 404 Not Found In the preceding example, two consecutive request and response messages are exchanged in the same data flow. The matching conditions are as follows: ``` flow:message; content: "page1.html"; http_uri; content: "200"; http_stat_msg; The detection scope is message. The URI field value and status code value in the message match the feature string in the signature. The rule is matched. flow:message; content: "page1.html"; http_uri; content: "404"; http_stat_msg; The detection scope is message, but **page1.html** is in the first message and **404** is in the second message. The rule is not matched. flow: session; content: "page1.html"; http_uri; content: "404"; http_stat_msg; The detection scope is session. The rule is matched. ``` #### Default Values of flow If the user does not specify a modifier when writing the **flow** field, the default values are as follows: 1. If no detection direction is specified, the two directions, from the client to the server and from the server to the client, are detected by default. 2. If no detection scope is specified, the session mode is used by default and the entire session is detected.