I inconsistent packet (e.g. SYN+RST bits both set)
I don’t actually know what ‘I’ stands for, but it’s for fin/rst packets, not syn/rst (although that would also be viable as long as fin is also set)
I got ‘I’ from bro document
https://www.bro.org/sphinx/scripts/base/protocols/conn/main.bro.html
L a fin/rst
I don’t believe that ‘L’ is a valid flag for the history field. Where did you find this?
Sorry I got mix up with capital ‘I’ and lower case ‘L’