Custom signatures

Creating custom signatures

Table 6: TCP header keywords (Continued)

Keyword and Value

Description

 

 

--tcp_flags

Specify the TCP flags to match in a packet.

<FSRPAU120>[!*+]

S: Match the SYN flag.

[,<FSRPAU120>];

A: Match the ACK flag.

 

 

F: Match the FIN flag.

 

R: Match the RST flag.

 

U: Match the URG flag.

 

P: Match the PSH flag.

 

1: Match Reserved bit 1.

 

2: Match Reserved bit 2.

 

0: Match No TCP flags set.

 

+: Match on the specified bits, plus any

 

others.

 

*: Match if any of the specified bits are set.

 

!: Match if the specified bits are not set.

 

The first part if the value (<FSRPAU120>) defines

 

the bits that must present for a successful match.

 

For example:

 

--tcp_flags AP

 

only matches the case where both A and P bits

 

are set.

 

The second part ([,<FSRPAU120>]) is optional,

 

and defines the additional bits that can present

 

for a match. For example:

 

tcp_flags S,12

 

matches the following combinations of flags: S, S

 

and 1, S and 2, S and 1 and 2.

 

The modifiers !, * and + can not be used in the

 

second part.

--window_size

Check for the specified TCP window size.

[!]<window_int>;

You can specify the window size as a

 

hexadecimal or decimal integer. A hexadecimal

 

value must be preceded by 0x.

 

To have the FortiGate search for the absence of

 

the specified window size, add an exclamation

 

mark (!) before the window size.

FortiGate IPS User Guide Version 3.0 MR7

 

01-30007-0080-20080916

31

Page 31
Image 31
Fortinet IPS manual Tcpflags AP, Tcpflags S,12