Non-Payload Detection Rule Options

The non-payload rule options look for non-payload-related data. All of these options are described in detail in subsequent sections, but essentially, these options enable users to evaluate parts of a packet other than the TCP and UDP data sections, as well as keep track of packet states for future evaluation.

Quick Reference

fragoffsetfragoffset looks for specific IP header fragment offset values
ttlttl looks for specific IP header TTL values
tostos looks for specific IP header ToS values
idid looks for specific IP header ID values
ipoptsipopts looks for the prescence of specific IP options
fragbitsfragbits checks the IP header for fragmentation or reserved bits
ip_protoip_proto looks for specific IP header protocol fields
flagsflags checks the TCP header for specific TCP flag bits
flowflow checks the session properties associated with given packet
flowbitsflowbits is used to set and test arbitrary boolean flags to track states during a transport protocol session
file_typefile_type is used to create rules that are constrained to a specific file type, a specific version of a file type
seqseq looks for specific TCP header sequence numbers
ackack looks for specific TCP header acknowledgment numbers
windowwindow looks for specific TCP header window sizes
itypeitype looks for specific ICMP type values
icodeicode looks for specific ICMP code values
icmp_idicmp_id looks for specific ICMP ID values
icmp_seqicmp_seq looks for specific ICMP sequence values
rpcrpc looks for specific SUNRPC CALL request parameters
stream_reassemblestream_reassemble is used to enable or disable TCP stream reassembly on matching traffic
stream_sizestream_size is used to perform stream size checking