Fortinet Network Device IPS User Manual
Page 31
Custom signatures
Creating custom signatures
FortiGate IPS User Guide Version 3.0 MR7
01-30007-0080-20080916
31
--tcp_flags
[,
Specify the TCP flags to match in a packet.
•
S: Match the SYN flag.
•
A: Match the ACK flag.
•
F: Match the FIN flag.
•
R: Match the RST flag.
•
U: Match the URG flag.
•
P: Match the PSH flag.
•
1: Match Reserved bit 1.
•
2: Match Reserved bit 2.
•
0: Match No TCP flags set.
•
+: Match on the specified bits, plus any
others.
•
*: Match if any of the specified bits are set.
•
!: Match if the specified bits are not set.
The first part if the value (
the bits that must present for a successful match.
For example:
--tcp_flags AP
only matches the case where both A and P bits
are set.
The second part ([,
and defines the additional bits that can present
for a match. For example:
tcp_flags S,12
matches the following combinations of flags: S, S
and 1, S and 2, S and 1 and 2.
The modifiers !, * and + can not be used in the
second part.
--window_size
[!]
Check for the specified TCP window size.
You can specify the window size as a
hexadecimal or decimal integer. A hexadecimal
value must be preceded by 0x.
To have the FortiGate search for the absence of
the specified window size, add an exclamation
mark (!) before the window size.
Table 6: TCP header keywords (Continued)
Keyword and Value
Description