snort的flow关键字

Question

在看到snort的flow关键字描述的时候，有些不明白。

flow的to_server,to_client,from_server,from_client没有搞明白 怎样区分什么是server和client？

如果说是方向的话，不是使用>就可以指定在规则里了么？
如果是辨别server和client的flags的ack，syn，那为什么不用flags关键字？

我查了些资料，说倒是配合stream4 preprocessor的tcp重组。没有理解！

请问哪位大虾了解啊?能举个例子说明下啊！？

下面是snort的用户手册描述：

3.6.9 flow

The flow rule option is used in conjunction with TCP stream reassembly (see Section 2.1.3). It allows rules to only
apply to certain directions of the traffic flow.
This allows rules to only apply to clients or servers. This allows packets related to $HOME NET clients viewing web
pages to be distinguished from servers running the $HOME NET.
The established keyword will replace the flags: A+ used in many places to show established TCP connections.

Options
Option Description
to client Trigger on server responses from A to B
to server Trigger on client requests from A to B
from client Trigger on client requests from A to B
from server Trigger on server responses from A to B
established Trigger only on established TCP connections
stateless Trigger regardless of the state of the stream processor (useful for packets that are designed
to cause machines to crash)
no stream Do not trigger on rebuilt stream packets (useful for dsize and stream4)
only stream Only trigger on rebuilt stream packets

[ 本帖最后由 nanjinperl 于 2007-7-31 21:12 编辑 ]