Non-Payload Detection Rule Options
The non-payload rule options look for non-payload-related data. All of these options are described in detail in subsequent sections, but essentially, these options enable users to evaluate parts of a packet other than the TCP and UDP data sections, as well as keep track of packet states for future evaluation.
Quick Reference
| keyword | description |
|---|---|
| fragoffset | fragoffset looks for specific IP header fragment offset values |
| ttl | ttl looks for specific IP header TTL values |
| tos | tos looks for specific IP header ToS values |
| id | id looks for specific IP header ID values |
| ipopts | ipopts looks for the prescence of specific IP options |
| fragbits | fragbits checks the IP header for fragmentation or reserved bits |
| ip_proto | ip_proto looks for specific IP header protocol fields |
| flags | flags checks the TCP header for specific TCP flag bits |
| flow | flow checks the session properties associated with given packet |
| flowbits | flowbits is used to set and test arbitrary boolean flags to track states during a transport protocol session |
| file_type | file_type is used to create rules that are constrained to a specific file type, a specific version of a file type |
| seq | seq looks for specific TCP header sequence numbers |
| ack | ack looks for specific TCP header acknowledgment numbers |
| window | window looks for specific TCP header window sizes |
| itype | itype looks for specific ICMP type values |
| icode | icode looks for specific ICMP code values |
| icmp_id | icmp_id looks for specific ICMP ID values |
| icmp_seq | icmp_seq looks for specific ICMP sequence values |
| rpc | rpc looks for specific SUNRPC CALL request parameters |
| stream_reassemble | stream_reassemble is used to enable or disable TCP stream reassembly on matching traffic |
| stream_size | stream_size is used to perform stream size checking |