Cisco Cisco Firepower Management Center 2000
32-46
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
Inspecting TCP Header Values and Stream Size
License:
Protection
The FireSIGHT System supports keywords that are designed to identify attacks attempted using TCP
headers of packets and TCP stream size. See the following sections for more information about
TCP-specific keywords:
headers of packets and TCP stream size. See the following sections for more information about
TCP-specific keywords:
•
•
•
•
•
•
Inspecting the TCP Acknowledgement Value
License:
Protection
You can use the
ack
keyword to compare a value against a packet’s TCP acknowledgement number. The
rule triggers if a packet’s TCP acknowledgement number matches the value specified for the
ack
keyword.
Argument values for
ack
must be numeric.
Inspecting TCP Flag Combinations
License:
Protection
You can use the
flags
keyword to specify any combination of TCP flags that, when set in an inspected
packet, cause the rule to trigger.
Note
In situations where you would traditionally use
A+
as the value for
flags
, you should instead use the
flow
keyword with a value of
established
. Generally, you should use the
flow
keyword with a value of
stateless
when using flags to ensure that all combinations of flags are detected. See
for more information about the
flow
keyword.
You can either check for or ignore the values described in the following table for the
flag
keyword.
Table 32-25
flag Arguments
Argument
TCP Flag
Ack
Acknowledges data.
Psh
Data should be sent in this packet.
Syn
A new connection.
Urg
Packet contains urgent data.
Fin
A closed connection.
Rst
An aborted connection.