TCP header options

Use TCP header options to check the properties of the TCP header.

src_port

Check the source port number or range.

Syntax:

--src_port [!]<number>;

The placement of : indicates less than or equal to:

--src_port [!]:<number>;

The placement of : indicates greater than or equal to:

--src_port [!]<number>:;

The placement of : indicates a range, exclusive of endpoints:

--src_port [!]<number>:<number>;

The optional prefix ! means exclude.

Example:

Greater than or equal to 1000

--src_port 1000:;

dst_port

Check the destination port number or range.

Syntax:

--dst_port [!]<number>;

Equal to:

--dst_port [!]:<number>;

Greater than or equal to:

--dst_port [!]<number>:;

Range, exclusive of endpoints:

--dst_port [!]<number>:<number>; placement of : indicates  a range, exclusive of endpoints

The optional prefix ! means exclude.

Example:

Greater than or equal to 100 and less than or equal to 200:

--dst_port 100:200;

seq

Check the TCP sequence number value or range.

Syntax:

--seq <number>[,relative];

Equal to:

--seq =,<number>[,relative];

Greater than:

--seq >,<number>[,relative]:;

Less than:

--seq <,<number>[,relative];

Not equal to :

--seq !,<number>[,relative];

The optional field relative indicates the value is relative to the initial sequence number of the TCP session. No prefix defaults to "equal to."

Examples:

--seq <,12345;

--seq !,12345;

ack

Check the TCP acknowledge number for a specific value.

Syntax:

--ack <number>;

Equal to:

--ack =,<number>[,relative];

Greater than:

--ack >,<number>[,relative]:;

Less than:

--ack <,<number>[,relative];

Not equal to :

--ack !,<number>[,relative];

Examples:

--ack <,12345;

--ack !,12345;

tcp_flags

Specify the TCP flags to match in a TCP packet.

Syntax:

--tcp_flags <!*+FSRPAU120>[,<FSRPAU120>];

Flag	Description	Note
`S`	SYN	upper case required
`A`	ACK	upper case required
`F`	FIN	upper case required
`R`	RST	upper case required
`U`	URG	upper case required
`P`	PSH	upper case required
`1`	reserved bit 1
`2`	reserved bit 2
`0`	No TCP flags set	No TCP flags set

The first part defines the bits to match:

The flags S, A, F, R, U, and P must be in upper case.
If the first digit is 0, it will stop and ignore all of the following flags.
* matches any one of the specified bits.
+ matches all of the specified bits, plus any others.
! matches if none of the specified bits is set.
Default matches the specified bits exactly.

The second part is optional. It identifies the bits that should be masked off before matching.

Examples:

--tcp_flags 0,12;

--tcp_flags !SAFRUP,12;

 --tcp_flags S,12;

--tcp_flags S+;

--tcp_flags *SAFRUP12;

window_size

Check for the specified TCP window size.

Syntax:

--window_size [!]<number>;

--window_size [!] 0x<number>;

--window_size [>=]<number>;

--window_size [<=]<number>;

Examples:

--window_size 1000;

--window_size !0x1000;

tcp.src_port, tcp.dst_port, tcp.seq, tcp.ack, tcp.flags, tcp.window_size, tcp.checksum, tcp.urgent, tcp.any_option

Check for these fields in the TCP header.

Syntax:

--tcp.[decorations] <operator><value>;

Valid operators: =, !=, >=, <=, &, |, ^, and in.

Examples:

--tcp.src_port in [1111,2222];

--tcp.flags & 0x0f = 0x6;

Iterate over all options:

--tcp.any_option = 0x6052, dword;

tcp [offset]

Access any fields in TCP header in freelance mode.

Syntax:

--tcp[offset] <operator><value> [, word size] [, endianness];

Both word size and endianness are optional. By default, the engine uses BYTE and big endian.

Valid operators: =, !=, >=, <=, &, |, ^, and in.

Example:

--tcp[20] &0xF0 = 0x30;

TCP header options

Use TCP header options to check the properties of the TCP header.

src_port

Check the source port number or range.

Syntax:

--src_port [!]<number>;

The placement of : indicates less than or equal to:

--src_port [!]:<number>;

The placement of : indicates greater than or equal to:

--src_port [!]<number>:;

The placement of : indicates a range, exclusive of endpoints:

--src_port [!]<number>:<number>;

The optional prefix ! means exclude.

Example:

Greater than or equal to 1000

--src_port 1000:;

dst_port

Check the destination port number or range.

Syntax:

--dst_port [!]<number>;

Equal to:

--dst_port [!]:<number>;

Greater than or equal to:

--dst_port [!]<number>:;

Range, exclusive of endpoints:

--dst_port [!]<number>:<number>; placement of : indicates  a range, exclusive of endpoints

The optional prefix ! means exclude.

Example:

Greater than or equal to 100 and less than or equal to 200:

--dst_port 100:200;

seq

Check the TCP sequence number value or range.

Syntax:

--seq <number>[,relative];

Equal to:

--seq =,<number>[,relative];

Greater than:

--seq >,<number>[,relative]:;

Less than:

--seq <,<number>[,relative];

Not equal to :

--seq !,<number>[,relative];

The optional field relative indicates the value is relative to the initial sequence number of the TCP session. No prefix defaults to "equal to."

Examples:

--seq <,12345;

--seq !,12345;

ack

Check the TCP acknowledge number for a specific value.

Syntax:

--ack <number>;

Equal to:

--ack =,<number>[,relative];

Greater than:

--ack >,<number>[,relative]:;

Less than:

--ack <,<number>[,relative];

Not equal to :

--ack !,<number>[,relative];

Examples:

--ack <,12345;

--ack !,12345;

tcp_flags

Specify the TCP flags to match in a TCP packet.

Syntax:

--tcp_flags <!*+FSRPAU120>[,<FSRPAU120>];

Flag	Description	Note
`S`	SYN	upper case required
`A`	ACK	upper case required
`F`	FIN	upper case required
`R`	RST	upper case required
`U`	URG	upper case required
`P`	PSH	upper case required
`1`	reserved bit 1
`2`	reserved bit 2
`0`	No TCP flags set	No TCP flags set

The first part defines the bits to match:

The flags S, A, F, R, U, and P must be in upper case.
If the first digit is 0, it will stop and ignore all of the following flags.
* matches any one of the specified bits.
+ matches all of the specified bits, plus any others.
! matches if none of the specified bits is set.
Default matches the specified bits exactly.

The second part is optional. It identifies the bits that should be masked off before matching.

Examples:

--tcp_flags 0,12;

--tcp_flags !SAFRUP,12;

 --tcp_flags S,12;

--tcp_flags S+;

--tcp_flags *SAFRUP12;

window_size

Check for the specified TCP window size.

Syntax:

--window_size [!]<number>;

--window_size [!] 0x<number>;

--window_size [>=]<number>;

--window_size [<=]<number>;

Examples:

--window_size 1000;

--window_size !0x1000;

tcp.src_port, tcp.dst_port, tcp.seq, tcp.ack, tcp.flags, tcp.window_size, tcp.checksum, tcp.urgent, tcp.any_option

Check for these fields in the TCP header.

Syntax:

--tcp.[decorations] <operator><value>;

Valid operators: =, !=, >=, <=, &, |, ^, and in.

Examples:

--tcp.src_port in [1111,2222];

--tcp.flags & 0x0f = 0x6;

Iterate over all options:

--tcp.any_option = 0x6052, dword;

tcp [offset]

Access any fields in TCP header in freelance mode.

Syntax:

--tcp[offset] <operator><value> [, word size] [, endianness];

Both word size and endianness are optional. By default, the engine uses BYTE and big endian.

Valid operators: =, !=, >=, <=, &, |, ^, and in.

Example:

--tcp[20] &0xF0 = 0x30;

Custom IPS and Application Control Signature Syntax Guide

TCP header options

TCP header options

src_port

Syntax:

Example:

dst_port

Syntax:

Example:

seq

Syntax:

Examples:

ack

Syntax:

Examples:

tcp_flags

Syntax:

Examples:

window_size

Syntax:

Examples:

tcp.src_port, tcp.dst_port, tcp.seq, tcp.ack, tcp.flags, tcp.window_size, tcp.checksum, tcp.urgent, tcp.any_option

Syntax:

Examples:

tcp [offset]

Syntax:

Example:

TCP header options

src_port

Syntax:

Example:

dst_port

Syntax:

Example:

seq

Syntax:

Examples:

ack

Syntax:

Examples:

tcp_flags

Syntax:

Examples:

window_size

Syntax:

Examples:

tcp.src_port, tcp.dst_port, tcp.seq, tcp.ack, tcp.flags, tcp.window_size, tcp.checksum, tcp.urgent, tcp.any_option

Syntax:

Examples:

tcp [offset]

Syntax:

Example: