96


Chapter 3     Working with Snort Rules


equal to a certain number. The following rule generates an alert if the data size of an IP


packet is larger than 6000 bytes.


alert ip any any  > 192.168.1.0/24 any (dsize: > 6000; \


   msg: "Large size IP packet detected";)


3.6.8


The flags Keyword


The flags keyword is used to find out which flag bits are set inside the TCP header


of a packet. Each flag can be used as an argument to flags keyword in Snort rules. A


detailed description of the TCP flag bits is present in RFC 793 at http://www.rfc edi 


tor.org/rfc/rfc793.txt. These flag bits are used by many security related tools for differ 


ent purposes including port scanning tools like nmap (http://www.nmap.org). Snort


supports checking of these flags listed in Table 3 2.


Table 3 2 TCP flag bits


Argument character used in


Flag


Snort rules


FIN or Finish Flag


F


SYN or Sync Flag


S


RST or Reset Flag


R


PSH or Push Flag


P


ACK or Acknowledge Flag


A


URG or Urgent Flag


U


Reserved Bit 1


1


Reserved Bit 2


2


No Flag set


0


You can also use !, +, and * symbols just like IP header flag bits (discussed under


the fragbits keyword) for AND, OR and NOT logical operations on flag bits being


tested. The following rule detects any scan attempt using SYN FIN TCP packets.


alert tcp any any  > 192.168.1.0/24 any (flags: SF; \


   msg:  SYNC FIN packet detected ;)








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      toronto web hosting

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Cheap Web Hosting
JSP Web Hosting
Ontario Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Java Hosting
Cheapest Hosting



Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved