Use the Signature Rule Flag dialog box to add or change a flag.
Flags are used to link the results of one rule to another for the same connection. With the use of flags it is possible to produce more complex conditions using one or more rules than can be achieved in a single rule.
For example one rule can identify the standard opening negotiation of a particular protocol and then set a flag
to record that fact.
Another rule can identify an exploit in the same protocol, but only match if the flag set by the previous rule is present.
Each connection has its own flag store. Thus flags set will have no effect on other connections even from the same visitor.
| Type | Notes |
| Set flag | If all the other conditions of the rule are met then the flag value is saved in the flag store. |
| Clear flag | If all the other conditions of the rule are met then the flag value is removed from the flag store. |
| Toggle flag | If the flag value is present in the flag store then it is removed and it is not there then it is added. |
| Is flag set | If the flag value is present in the flag store then the condition is met. If it is not present then the rule will fail to match. |
| Is flag not set | If the flag value is not present in the flag store then the condition is met. If it is present then the rule will fail to match. |