Cisco Cisco Firepower Management Center 4000

Protection

The FireSIGHT System supports keywords that are designed to identify attacks attempted using TCP 
headers of packets and TCP stream size. See the following sections for more information about 
TCP-specific keywords:

Protection

You can use the 

ack

 keyword to compare a value against a packet’s TCP acknowledgement number. The 

rule triggers if a packet’s TCP acknowledgement number matches the value specified for the 

ack

 

keyword. 

Argument values for 

ack

 must be numeric.

Protection

You can use the 

flags

 keyword to specify any combination of TCP flags that, when set in an inspected 

packet, cause the rule to trigger. 

In situations where you would traditionally use 

A+

 as the value for 

flags

, you should instead use the 

flow

 

keyword with a value of 

established

. Generally, you should use the 

flow

 keyword with a value of 

stateless

 when using flags to ensure that all combinations of flags are detected. See 

 for more information about the 

flow

 keyword.

You can either check for or ignore the values described in the following table for the 

flag

 keyword.

Ack

Acknowledges data.

Psh

Data should be sent in this packet.

Syn

A new connection.

Urg

Packet contains urgent data.

Fin

A closed connection.

Rst

An aborted connection.