tos

The tos rule option is used to check an IP header's type of service (ToS) value is less than, greater than, equal to, not equal to, less than or equal to, or greater than or equal to a specified integer value. This rule option can also check that the header's ToS value is between a range of numbers, using the <> range operator for an exclusive range check or the <=> for an inclusive one.

This option is useful to detect things like the "bubonic" DoS tool.

Format:

Single value comparison:
tos:[<|>|=|!|<=|>=]tos;
Range comparison:
tos:tos_min{<>|<=>}tos_max;

Examples:

# Check that the ToS value does not equal 4
tos:!4;
# Check that the ToS value equals 4
tos:4;