#include <rlp.h>
Data Fields | |
| Rlp_FlagType_t | F |
| Rlp_FlagType_t | S |
| Rlp_FlagType_t | R |
| Rlp_FlagType_t | P |
| Rlp_FlagType_t | A |
| Rlp_FlagType_t | U |
| Rlp_FlagType_t | r_2 |
| Rlp_FlagType_t | r_1 |
| Rlp_FlagType_t | noFlagsSet |
Test the TCP flags for a match.
There are actually 9 flags variables
F FIN (LSB in TCP Flags byte) S SYN R RST P PSH A ACK U URG 2 Reserved bit 2 1 Reserved bit 1 (MSB in TCP Flags byte) 0 No TCP Flags Set
There are also logical operators that can be used to specify matching criteria for the indicated flags:
+ ALL flag, match on all specified flags plus any others * ANY flag, match on any of the specified flags ! NOT flag, match if the specified flags aren't set in the packet
The reserved bits can be used to detect unusual behavior, such as IP stack fingerprinting attempts or other suspicious activity.
A SYN-FIN scan detection rule:
alert any any -> 192.168.1.0/24 any (flags: SF,12; msg: "Possible SYN FIN scan";)
To handle writing rules for session initiation packets such as ECN where a SYN packet is sent with the previously reserved bits 12 set, an option mask may be specified. A rule could check for a flags value of S,12 if one wishes to find syn packets regardless of the values of the reserved bits.
Format flags: <flag values>="">[,mask value];
This is the entire list:
flags:0 flags:A flags:A+ flags:F flags:FPU flags:PA flags:PA12 flags:S flags:S+ flags:SF12 flags:SFU12 flags:SA flags:SF flags:SFP flags:SFPU flags:SRAFPU flags:U+
Definition at line 509 of file rlp.h.