TCP Header Values and Stream Size

The system supports keywords that are designed to identify attacks attempted using TCP headers of packets and TCP stream size.

ack

You can use the ack keyword to compare a value against a packet’s TCP acknowledgment number. The rule triggers if a packet’s TCP acknowledgment number matches the value specified for the ack keyword.

Argument values for ack must be numeric.

flags

You can use the flags keyword to specify any combination of TCP flags that, when set in an inspected packet, cause the rule to trigger.

Note

In situations where you would traditionally use A+ as the value for flags, you should instead use the flow keyword with a value of established. Generally, you should use the flow keyword with a value of stateless when using flags to ensure that all combinations of flags are detected.

You can either check for or ignore the values described in the following table for the flag keyword.

flag Arguments

Argument

TCP Flag

Ack

Acknowledges data.

Psh

Data should be sent in this packet.

Syn

A new connection.

Urg

Packet contains urgent data.

Fin

A closed connection.

Rst

An aborted connection.

CWR

An ECN congestion window has been reduced. This was formerly the R1 argument, which is still supported for backward compatibility.

ECE

ECN echo. This was formerly the R2 argument, which is still supported for backward compatibility.

When using the flags keyword, you can use an operator to indicate how the system performs matches against multiple flags. The following table describes these operators.

Operators Used with flags

Operator

Description

Example

all

The packet must contain all specified flags.

Select Urg and all to specify that a packet must contain the Urgent flag and may contain any other flags.

any

The packet can contain any of the specified flags.

Select Ack, Psh, and any to specify that either or both the Ack and Psh flags must be set to trigger the rule, and that other flags may also be set on a packet.

not

The packet must not contain the specified flag set.

Select Urg and not to specify that the Urgent flag is not set on packets that trigger this rule.

flow

You can use the flow keyword to select packets for inspection by a rule based on session characteristics. The flow keyword allows you to specify the direction of the traffic flow to which a rule applies, applying rules to either the client flow or server flow. To specify how the flow keyword inspects your packets, you can set the direction of traffic you want analyzed, the state of packets inspected, and whether the packets are part of a rebuilt stream.

Stateful inspection of packets occurs when rules are processed. If you want a TCP rule to ignore stateless traffic (traffic without an established session context), you must add the flow keyword to the rule and select the Established argument for the keyword. If you want a UDP rule to ignore stateless traffic, you must add the flow keyword to the rule and select either the Established argument or a directional argument, or both. This causes the TCP or UDP rule to perform stateful inspection of a packet.

When you add a directional argument, the rules engine inspects only those packets that have an established state with a flow that matches the direction specified. For example, if you add the flow keyword with the established argument and the From Client argument to a rule that triggers when a TCP or UDP connection is detected, the rules engine only inspects packets that are sent from the client.

Tip

For maximum performance, always include a flow keyword in a TCP rule or a UDP session rule.

The following table describes the stream-related arguments you can specify for the flow keyword:

State-Related flow Arguments

Argument

Description

Established

Triggers on established connections.

Stateless

Triggers regardless of the state of the stream processor.

The following table describes the directional options you can specify for the flow keyword:

flow Directional Arguments

Argument

Description

To Client

Triggers on server responses.

To Server

Triggers on client responses.

From Client

Triggers on client responses.

From Server

Triggers on server responses.

Notice that From Server and To Client perform the same function, as do To Server and From Client. These options exist to add context and readability to the rule. For example, if you create a rule designed to detect an attack from a server to a client, use From Server. But, if you create a rule designed to detect an attack from the client to the server, use From Client.

The following table describes the stream-related arguments you can specify for the flow keyword:

Stream-Related flow Arguments

Argument

Description

Ignore Stream Traffic

Does not trigger on rebuilt stream packets.

Only Stream Traffic

Triggers only on rebuilt stream packets.

For example, you can use To Server, Established, Only Stream Traffic as the value for the flow keyword to detect traffic, traveling from a client to the server in an established session, that has been reassembled by the stream preprocessor.

seq

The seq keyword allows you to specify a static sequence number value. Packets whose sequence number matches the specified argument trigger the rule containing the keyword. While this keyword is used rarely, it is helpful in identifying attacks and network scans that use generated packets with static sequence numbers.

window

You can use the window keyword to specify the TCP window size you are interested in. A rule containing this keyword triggers whenever it encounters a packet with the specified TCP window size. While this keyword is used rarely, it is helpful in identifying attacks and network scans that use generated packets with static TCP window sizes.

stream_size

You can use the stream_size keyword in conjunction with the stream preprocessor to determine the size in bytes of a TCP stream, using the format: 


direction,operator,bytes

where bytes is number of bytes. You must separate each option in the argument with a comma (,).

The following table describes the case-insensitive directional options you can specify for the stream_size keyword:

stream_size Keyword Directional Arguments

Argument

Description

client

triggers on a stream from the client matching the specified stream size.

server

triggers on a stream from the server matching the specified stream size.

both

triggers on traffic from the client and traffic from the server both matching the specified stream size.

For example, the argument both, >, 200 would trigger when traffic from the client is greater than 200 bytes AND traffic from the server is greater than 200 bytes.

either

triggers on traffic from either the client or the server matching the specified stream size, whichever occurs first.

For example, the argument either, >, 200 would trigger when traffic from the client is greater than 200 bytes OR traffic from the server is greater than 200 bytes.

The following table describes the operators you can use with the stream_size keyword:

stream_size Keyword Argument Operators

Operator

Description

=

equal to

!=

not equal to

>

greater than

<

less than

>=

greater than or equal to

<=

less than or equal to

For example, you could use client, >=, 5001216 as the argument for the stream_size keyword to detect a TCP stream traveling from a client to a server and greater than or equal to 5001216 bytes.