The fragoffset keyword allows one to compare the IP fragment offset field against a decimal value. To catch all the first fragments of an IP session, you could use the fragbits keyword and look for the More fragments option in conjunction with a fragoffset of 0.
fragoffset:[<|>]<number>
The ttl keyword is used to check the IP time-to-live value. This option keyword was intended for use in the detection of traceroute attempts.
ttl:[[<number>-]><=]<number>;
This example checks for a time-to-live value that is less than 3.
ttl:<3;
This example checks for a time-to-live value that between 3 and 5.
ttl:3-5;
The tos keyword is used to check the IP TOS field for a specific value.
tos:[!]<number>;
This example looks for a tos value that is not 4
tos:!4;
The id keyword is used to check the IP ID field for a specific value. Some tools (exploits, scanners and other odd programs) set this field specifically for various purposes, for example, the value 31337 is very popular with some hackers.
id:<number>;
This example looks for the IP ID of 31337.
id:31337;
The ipopts keyword is used to check if a specific IP option is present.
The following options may be checked:
The most frequently watched for IP options are strict and loose source routing which aren't used in any widespread internet applications.
ipopts:<rr|eol|nop|ts|sec|lsrr|ssrr|satid|any>;
ipopts:lsrr;
The fragbits keyword is used to check if fragmentation and reserved bits are set in the IP header.
The following bits may be checked:
The following modifiers can be set to change the match criteria:
fragbits:[+-*]<[MDR]>
This example checks if the More Fragments bit and the Do not Fragment bit are set.
fragbits:MD+;
The dsize keyword is used to test the packet payload size. This may be used to check for abnormally sized packets. In many cases, it is useful for detecting buffer overflows.
dsize: [<>]<number>[<><number>];
dsize:300<>400;
The flags keyword is used to check if specific TCP flag bits are present.
The following bits may be checked:
The following modifiers can be set to change the match criteria:
To handle writing rules for session initiation packets such as ECN where a SYN packet is sent with the previously reserved bits 1 and 2 set, an option mask may be specified. A rule could check for a flags value of S,12 if one wishes to find packets with just the syn bit, regardless of the values of the reserved bits.
flags:[!|*|+]<FSRPAU120>[,<FSRPAU120>];
This example checks if just the SYN and the FIN bits are set, ignoring reserved bit 1 and reserved bit 2.
alert tcp any any -> any any (flags:SF,12;)
The flow rule option is used in conjunction with TCP stream reassembly
(see Section ). It allows rules to only apply
to certain directions of the traffic flow.
This allows rules to only apply to clients or servers. This allows packets related to $HOME_NET clients viewing web pages to be distinguished from servers running the $HOME_NET.
The established keyword will replace the flags: A+ used in many places to show established TCP connections.
Option | Description |
to_client | Trigger on server responses from A to B |
to_server | Trigger on client requests from A to B |
from_client | Trigger on client requests from A to B |
from_server | Trigger on server responses from A to B |
established | Trigger only on established TCP connections |
stateless | Trigger regardless of the state of the stream processor (useful for packets that are designed to cause machines to crash) |
no_stream | Do not trigger on rebuilt stream packets (useful for dsize and stream4) |
only_stream | Only trigger on rebuilt stream packets |
flow: [(established|stateless)] [,(to_client|to_server|from_client|from_server)] [,(no_stream|only_stream)]
The flowbits rule option is used in conjunction with conversation
tracking from the Flow preprocessor (see Section). It allows
rules to track states across transport protocol sessions. The flowbits option
is most useful for TCP sessions, as it allows rules to generically track the
state of an application protocol.
There are seven keywords associated with flowbits. Most of the options need a user-defined name for the specific state that is being checked. This string should be limited to any alphanumeric string including periods, dashes, and underscores.
Option | Description |
set | Sets the specified state for the current flow. |
unset | Unsets the specified state for the current flow. |
toggle | Sets the specified state if the state is unset, otherwise unsets the state if the state is set. |
isset | Checks if the specified state is set. |
isnotset | Checks if the specified state is not set. |
noalert | Cause the rule to not generate an alert, regardless of the rest of the detection options. |
flowbits: [set|unset|toggle|isset,reset,noalert][,<STATE_NAME>];
The seq keyword is used to check for a specific TCP sequence number.
seq:<number>;
seq:0;
The ack keyword is used to check for a specific TCP acknowledge number.
ack: <number>;
ack:0;
The ack keyword is used to check for a specific TCP window size.
window:[!]<number>;
window:55808;
The itype keyword is used to check for a specific ICMP type value.
itype:[<|>]<number>[<><number>];
This example looks for an ICMP type greater than 30.
itype:>30;
The itype keyword is used to check for a specific ICMP code value.
icode: [<|>]<number>[<><number>];
code:>30;
The itype keyword is used to check for a specific ICMP ID value.
This is useful because some covert channel programs use static ICMP fields when they communicate. This particular plugin was developed to detect the stacheldraht DDoS agent.
icmp_id:<number>;
This example looks for an ICMP ID of 0.
icmp_id:0;
The itype keyword is used to check for a specific ICMP sequence value.
This is useful because some covert channel programs use static ICMP fields when they communicate. This particular plugin was developed to detect the stacheldraht DDoS agent.
icmp_seq: <number>;
This example looks for an ICMP Sequence of 0.
icmp_seq:0;
The rpc keyword is used to check for a RPC application, version, and procedure numbers in SUNRPC CALL requests.
Wildcards are valid for both version and procedure numbers by using '*';
rpc: <application number>, [<version number>|*], [<procedure number>|*]>;
The following example looks for an RPC portmap GETPORT request.
alert tcp any any -> any 111 (rpc: 100000,*,3;);
Because of the fast pattern matching engine, the RPC keyword is slower than looking for the RPC values by using normal content matching.
The ip_proto keyword allows checks against the IP protocol header. For a list of protocols that may be specified by name, see /etc/protocols.
ip_proto:[!><] <name or number>;
alert ip any any -> any any (ip_proto:igmp;)
The sameip keyword allows rules to check if the source ip is the same as the destination IP.
sameip;
This example looks for any traffic where the Source IP and the Destination IP is the same.
alert ip any any -> any any (sampeip;)