|
|
|
Custom signatures | Creating custom signatures |
Table 6: TCP header keywords (Continued)
Keyword and Value | Description |
|
|
Specify the TCP flags to match in a packet. | |
<FSRPAU120>[!*+] | • S: Match the SYN flag. |
[,<FSRPAU120>]; | • A: Match the ACK flag. |
| |
| • F: Match the FIN flag. |
| • R: Match the RST flag. |
| • U: Match the URG flag. |
| • P: Match the PSH flag. |
| • 1: Match Reserved bit 1. |
| • 2: Match Reserved bit 2. |
| • 0: Match No TCP flags set. |
| • +: Match on the specified bits, plus any |
| others. |
| • *: Match if any of the specified bits are set. |
| • !: Match if the specified bits are not set. |
| The first part if the value (<FSRPAU120>) defines |
| the bits that must present for a successful match. |
| For example: |
|
|
| only matches the case where both A and P bits |
| are set. |
| The second part ([,<FSRPAU120>]) is optional, |
| and defines the additional bits that can present |
| for a match. For example: |
| tcp_flags S,12 |
| matches the following combinations of flags: S, S |
| and 1, S and 2, S and 1 and 2. |
| The modifiers !, * and + can not be used in the |
| second part. |
Check for the specified TCP window size. | |
[!]<window_int>; | You can specify the window size as a |
| hexadecimal or decimal integer. A hexadecimal |
| value must be preceded by 0x. |
| To have the FortiGate search for the absence of |
| the specified window size, add an exclamation |
| mark (!) before the window size. |
FortiGate IPS User Guide Version 3.0 MR7 |
|
31 |