flags

The flags rule option checks to see if the specified flag bits are set in the TCP header.

The following flag bits may be checked:

  • F -> FIN (Finish)
  • S -> SYN (Synchronize sequence numbers)
  • R -> RST (Reset the connection)
  • P -> PSH (Push buffered data)
  • A -> ACK (Acknowledgement)
  • U -> URG (Urgent pointer)
  • C -> CWR (Congestion window reduced)
  • E -> ECE (ECN-Echo)
  • 0 -> No TCP flags set

One can look for multiple flags at once by specifying more than one flag character. Doing this tells Snort to look for all of the flags specified in the option.

Additionally, rule options can also include one of the following optional modifiers to change how the criteria is evaluated:

  • + -> match any of the specified bits, plus any others
  • * -> match if any of the specified bits are set
  • ! -> match if the specified bits are not set

Rule writers can also specify flags to ignore by placing a comma after the initial set of flags followed by a flag character or flag characters to ignore.

Format:

flags:[modifier]test_flag…[,mask_flag…];

Examples:

# Check for TCP packets where only the SYN flag is set 
flags:S;
# Check for TCP packets where only the SYN and ACK flags is set 
flags:SA;
# Check for TCP packets where the SYN and/or ACK flags are set 
flags:*SA;
# Check if the SYN and FIN bits are set, ignoring the CWR and ECN bits
flags:SF,CE;