The fragoffset keyword allows one to compare the IP fragment offset field against a decimal value. To catch all the first fragments of an IP session, you could use the fragbits keyword and look for the More fragments option in conjunction with a fragoffset of 0.
fragoffset:[<|>]<number>;
alert ip any any -> any any \
(msg: "First Fragment"; fragbits: M; fragoffset: 0;)
The ttl keyword is used to check the IP time-to-live value. This option keyword was intended for use in the detection of traceroute attempts.
ttl:[[<number>-]><=]<number>;
This example checks for a time-to-live value that is less than 3.
ttl:<3;
This example checks for a time-to-live value that between 3 and 5.
ttl:3-5;
The tos keyword is used to check the IP TOS field for a specific value.
tos:[!]<number>;
This example looks for a tos value that is not 4
tos:!4;
The id keyword is used to check the IP ID field for a specific value. Some tools (exploits, scanners and other odd programs) set this field specifically for various purposes, for example, the value 31337 is very popular with some hackers.
id:<number>;
This example looks for the IP ID of 31337.
id:31337;
The ipopts keyword is used to check if a specific IP option is present.
The following options may be checked:
The most frequently watched for IP options are strict and loose source routing which aren't used in any widespread internet applications.
ipopts:<rr|eol|nop|ts|sec|esec|lsrr|ssrr|satid|any>;
This example looks for the IP Option of Loose Source Routing.
ipopts:lsrr;
Only a single ipopts keyword may be specified per rule.
The fragbits keyword is used to check if fragmentation and reserved bits are set in the IP header.
The following bits may be checked:
The following modifiers can be set to change the match criteria:
fragbits:[+*!]<[MDR]>;
This example checks if the More Fragments bit and the Do not Fragment bit are set.
fragbits:MD+;
The dsize keyword is used to test the packet payload size. This may be used to check for abnormally sized packets. In many cases, it is useful for detecting buffer overflows.
dsize: [<>]<number>[<><number>];
This example looks for a dsize that is between 300 and 400 bytes.
dsize:300<>400;
dsize will fail on stream rebuilt packets, regardless of the size of the payload.
The flags keyword is used to check if specific TCP flag bits are present.
The following bits may be checked:
The following modifiers can be set to change the match criteria:
To handle writing rules for session initiation packets such as ECN where a SYN packet is sent with the previously reserved bits 1 and 2 set, an option mask may be specified. A rule could check for a flags value of S,12 if one wishes to find packets with just the syn bit, regardless of the values of the reserved bits.
flags:[!|*|+]<FSRPAU120>[,<FSRPAU120>];
This example checks if just the SYN and the FIN bits are set, ignoring reserved bit 1 and reserved bit 2.
alert tcp any any -> any any (flags:SF,12;)
The flow keyword is used in conjunction with TCP stream reassembly (see Section
![[*]](crossref.png)
). It allows rules to only apply to certain directions of
the traffic flow.
This allows rules to only apply to clients or servers. This allows packets related to $HOME_NET clients viewing web pages to be distinguished from servers running in the $HOME_NET.
The established keyword will replace the flags: A+ used in many places to show established TCP connections.
| Option | Description |
| to_client | Trigger on server responses from A to B |
| to_server | Trigger on client requests from A to B |
| from_client | Trigger on client requests from A to B |
| from_server | Trigger on server responses from A to B |
| established | Trigger only on established TCP connections |
| stateless | Trigger regardless of the state of the stream processor (useful for packets that are designed to cause machines to crash) |
| no_stream | Do not trigger on rebuilt stream packets (useful for dsize and stream5) |
| only_stream | Only trigger on rebuilt stream packets |
flow: [(established|stateless)]
[,(to_client|to_server|from_client|from_server)]
[,(no_stream|only_stream)];
alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"cd incoming detected"; \
flow:from_client; content:"CWD incoming"; nocase;)
alert tcp !$HOME_NET 0 -> $HOME_NET 0 (msg: "Port 0 TCP traffic"; \
flow:stateless;)
The flowbits keyword is used in conjunction with conversation tracking
from the Stream preprocessor (see Section). It allows
rules to track states during a transport protocol session. The flowbits option
is most useful for TCP sessions, as it allows rules to generically track the
state of an application protocol.
There are eight keywords associated with flowbits. Most of the options need a user-defined name for the specific state that is being checked. This string should be limited to any alphanumeric string including periods, dashes, and underscores. The keywords set and toggle take an optional argument which specifies the group to which the keywords will belong. When no group name is specified the flowbits will belong to a default group. All the flowbits in a particular group (with an exception of default group) are mutually exclusive. A particular flow cannot belong to more than one group.
| Option | Description |
| set | Sets the specified state for the current flow and unsets all the other flowbits in a group when a GROUP_NAME is specified. |
| unset | Unsets the specified state for the current flow. |
| toggle | Sets the specified state if the state is unset and unsets all the other flowbits in a group when a GROUP_NAME is specified, otherwise unsets the state if the state is set. |
| isset | Checks if the specified state is set. |
| isnotset | Checks if the specified state is not set. |
| noalert | Cause the rule to not generate an alert, regardless of the rest of the detection options. |
flowbits: [set|unset|toggle|isset|reset|noalert][,<STATE_NAME>][,<GROUP_NAME>];
alert tcp any 143 -> any any (msg:"IMAP login";
content:"OK LOGIN"; flowbits:set,logged_in;
flowbits:noalert;)
alert tcp any any -> any 143 (msg:"IMAP LIST"; content:"LIST";
flowbits:isset,logged_in;)
The seq keyword is used to check for a specific TCP sequence number.
seq:<number>;
This example looks for a TCP sequence number of 0.
seq:0;
The ack keyword is used to check for a specific TCP acknowledge number.
ack: <number>;
This example looks for a TCP acknowledge number of 0.
ack:0;
The window keyword is used to check for a specific TCP window size.
window:[!]<number>;
This example looks for a TCP window size of 55808.
window:55808;
The itype keyword is used to check for a specific ICMP type value.
itype:[<|>]<number>[<><number>];
This example looks for an ICMP type greater than 30.
itype:>30;
The icode keyword is used to check for a specific ICMP code value.
icode: [<|>]<number>[<><number>];
This example looks for an ICMP code greater than 30.
code:>30;
The icmp_id keyword is used to check for a specific ICMP ID value.
This is useful because some covert channel programs use static ICMP fields when they communicate. This particular plugin was developed to detect the stacheldraht DDoS agent.
icmp_id:<number>;
This example looks for an ICMP ID of 0.
icmp_id:0;
The icmp_seq keyword is used to check for a specific ICMP sequence value.
This is useful because some covert channel programs use static ICMP fields when they communicate. This particular plugin was developed to detect the stacheldraht DDoS agent.
icmp_seq:<number>;
This example looks for an ICMP Sequence of 0.
icmp_seq:0;
The rpc keyword is used to check for a RPC application, version, and procedure numbers in SUNRPC CALL requests.
Wildcards are valid for both version and procedure numbers by using '*';
rpc: <application number>, [<version number>|*], [<procedure number>|*]>;
The following example looks for an RPC portmap GETPORT request.
alert tcp any any -> any 111 (rpc: 100000,*,3;);
Because of the fast pattern matching engine, the RPC keyword is slower than looking for the RPC values by using normal content matching.
The ip_proto keyword allows checks against the IP protocol header. For a list of protocols that may be specified by name, see /etc/protocols.
ip_proto:[!|>|<] <name or number>;
This example looks for IGMP traffic.
alert ip any any -> any any (ip_proto:igmp;)
The sameip keyword allows rules to check if the source ip is the same as the destination IP.
sameip;
This example looks for any traffic where the Source IP and the Destination IP is the same.
alert ip any any -> any any (sameip;)
The stream_size keyword allows a rule to match traffic according to the number of bytes observed, as determined by the TCP sequence numbers.
|
Note:
The stream_size option is only available when the Stream5 preprocessor is enabled.
|
stream_size:<server|client|both|either>,<operator>,<number>
Where the operator is one of the following:
- less than
- greater than
= - less than or equal
= - greater than or equal
For example, to look for a session that is less that 6 bytes from the client side, use:
alert tcp any any -> any any (stream_size:client,<,6;)
| Keyword | Description |
| fragoffset | The fragoffset keyword allows one to compare the IP fragment offset field against a decimal value. |
| ttl | The ttl keyword is used to check the IP time-to-live value. |
| tos | The tos keyword is used to check the IP TOS field for a specific value. |
| id | The id keyword is used to check the IP ID field for a specific value. |
| ipopts | The ipopts keyword is used to check if a specific IP option is present. |
| fragbits | The fragbits keyword is used to check if fragmentation and reserved bits are set in the IP header. |
| dsize | The dsize keyword is used to test the packet payload size. |
| flags | The flags keyword is used to check if specific TCP flag bits are present. |
| flow | The flow keyword allows rules to only apply to certain directions of the traffic flow. |
| flowbits | The flowbits keyword allows rules to track states during a transport protocol session. |
| seq | The seq keyword is used to check for a specific TCP sequence number. |
| ack | The ack keyword is used to check for a specific TCP acknowledge number. |
| window | The window keyword is used to check for a specific TCP window size. |
| itype | The itype keyword is used to check for a specific ICMP type value. |
| icode | The icode keyword is used to check for a specific ICMP code value. |
| icmp_id | The icmp_id keyword is used to check for a specific ICMP ID value. |
| icmp_seq | The icmp_seq keyword is used to check for a specific ICMP sequence value. |
| rpc | The rpc keyword is used to check for a RPC application, version, and procedure numbers in SUNRPC CALL requests. |
| ip_proto | The ip_proto keyword allows checks against the IP protocol header. |
| sameip | The sameip keyword allows rules to check if the source ip is the same as the destination IP. |