Suricata

A lot of vendor rules are written to account for various conditions, but use the same flowbit name. This helps simplify the rule syntax, but from an analyst perspective it is difficult to track which flowbit rule actually matched in the rule. For example, Emerging Threats has 109 rules that set the flowbit rule "ET.genericphish", but there is no way to know which matched when the condition is set in the flow.