fragbits
The fragbits option checks the IP header to see if specific fragmentation and reserved bits are set or not.
Rule writers can check for the following bits:
M-> More FragmentsD-> Don't FragmentR-> Reserved Bit
Additionally, rule options can include one of the following optional modifiers to change how the criteria is evaluated:
+-> Match on the specified bits, plus any others*-> Match if any of the specified bits are set!-> Match if the specified bits are not set
Format:
fragbits:[modifier]fragbit…;Examples:
## Checks if only the More Fragments bit is set
fragbits:M;
# Checks if the More Fragments bit and the
# Do not Fragment bit are set, plus any others
fragbits:+MD;