@ -293,6 +293,60 @@ Example of tos with a negated value:
TCP keywords
------------
tcp.flags
^^^^^^^^^
The tcp.flags keyword checks for specific `TCP flag bits
<https://en.wikipedia.org/wiki/Transmission_Control_Protocol#TCP_segment_structure> `_.
The following flag bits may be checked:
==== ====================================
Flag Description
==== ====================================
F FIN - Finish
S SYN - Synchronize sequence numbers
R RST - Reset
P PSH - Push
A ACK - Acknowledgment
U URG - Urgent
C CWR - Congestion Window Reduced
E ECE - ECN-Echo
0 No TCP Flags Set
==== ====================================
The following modifiers can be set to change the match criteria:
======== ===================================
Modifier Description
======== ===================================
`` + `` match on the bits, plus any others
`` * `` match if any of the bits are set
`` ! `` match if the bits are not set
======== ===================================
To handle writing rules for session initiation packets such as ECN where a SYN
packet is sent with CWR and ECE flags set, an option mask may be used by
appending a comma and masked values. For example, a rule that checks for a SYN
flag, regardless of the values of the reserved bits is `` tcp.flags:S,CE; ``
Format of tcp.flags::
tcp.flags:[modifier]<test flags>[,<ignore flags>];
tcp.flags:[!|*|+]<FSRPAUCE0>[,<FSRPAUCE>];
Example::
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Example tcp.flags sig"; \
:example-rule-emphasis: `tcp.flags:FPU,CE;` classtype:misc-activity; sid:1; rev:1;)
It is also possible to use the `tcp.flags` `prefilter` `prefilter` :doc: `prefilter-keywords`
Example::
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Example tcp.flags sig"; \
:example-rule-emphasis: `tcp.flags:FPU,CE; prefilter;` classtype:misc-activity; sid:1; rev:1;)
seq
^^^
The seq keyword can be used in a signature to check for a specific TCP
Travis Green
6 years ago
committed by
Victor Julien