Snort keywords, Appendix b, Appendix b snort keywords – Force10 Networks PSeries 100-00055-01 User Manual
Page 119
P-Series Installation and Operation Guide, version 2.3.1.2
119
describes briefly the valid Snort keywords supported on the P-Series. For a more detailed
explanation for these keywords, see
Appendix B
Snort Keywords
Table 28 Description of P-Series Snort Keywords
Keyword
Description
Rule Syntax
ack
Checks for a specific TCP acknowledgment number.
number is a reference to a previously transmitted
sequence number that is being acknowleged.
ack: number;
content
Specifies the content within the packet payload for which
the rule is to search.
data_string can contain mixed text and binary data.
Binary data is enclosed within pipe characters and is
written in hexadecimal form.
content: [!] "data_string";
dsize
Inspects the packet payload size.
number is the payload size in bytes.
dsize: [>|<] number [>|<number];
flags
Checks for the presence of the specified TCP flag bits.
Valid flag bits include:
•
F: FIN (Least Significant Bit (LSB) in the TCP Flags
byte)
•
S: SYN
•
R: RST
•
P: PSH
•
A: ACK
•
U: URG
•
1: Reserved bit 1 (Most Significant Bit (MSB) in TCP
Flags byte)
•
2: Reserved bit 2
•
0: No TCP Flags Set
The following modifiers change the match criteria:
•
+: Match on the specified bits, plus any others.
•
*: Match if any of the specified bits are set.
•
!: Match if the specified bits are not set.
flags:[!|*|+] {F|S|R|P|A|U|1|2|0}
[
,{F|S|R|P|A|U|1|2|0}];