Rule Options
97
Note that ! symbol is used for  NOT, + is used for AND,  and * is used for OR
operation.
3.6.9
The fragbits Keyword
The IP header contains three flag bits that are used for fragmentation and re 
assembly of IP packets. These bits are listed below:
  Reserved Bit (RB), which is reserved for future use.
  Don't Fragment Bit (DF). If this bit is set, it shows that the IP packet should not
be fragmented.
  More Fragments Bit (MF). If this bit is set, it shows that more fragments of this
IP packet are on the way. If this bit is not set, it shows that this is the last
fragment (or the only fragment) of the IP packet. The sending host fragments IP
packets into smaller packets depending on the maximum size packet that can be
transmitted through a communication medium. For example, the Maximum
Transfer Units or MTU defines the maximum length of a packet on the Ethernet
networks. This bit is used at the destination host to reassemble IP fragments.
For more information on Flag bits refer to RFC 791 at http://www.rfc editor.org/
rfc/rfc791.txt. Sometimes these bits are used by hackers for attacks and to find out
information related to your network. For example, the DF bit can be used to find the
minimum and maximum MTU for a path from source to destination. Using the fragbits
keyword, you can find out if a packet contains these bits set or cleared. The following
rule is used to detect if the DF bit is set in an ICMP packet.
alert icmp any any  > 192.168.1.0/24 any (fragbits: D; \
   msg: "Don't Fragment bit set";)
In this rule, D is used for DF bit. You can use R for reserved bit and M for MF bit.
You can also use the negation symbol ! in the rule. The following rule detects if the DF
bit is not set, although this rule is of little use.
alert icmp any any  > 192.168.1.0/24 any (fragbits: !D; \
   msg: "Don't Fragment bit not set";)
The AND and OR logical operators can also be used to check multiple bits. The +
symbol specifies all bits be matched (AND operation) while the * symbol specifies any
of the specified bits be matched (OR operation).






footer




 

 

 

 

 Home | About Us | Network | Services | Support | FAQ | Control Panel | Order Online | Sitemap | Contact

toronto web hosting

 

Our partners: PHP: Hypertext Preprocessor Cheap Web Hosting JSP Web Hosting Ontario Web Hosting  Jsp Web Hosting

Cheapest Web Hosting Java Hosting Cheapest Hosting

Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved