topic Re: confusion abt tcp flags and tcp mask in signatures in Network Security

confusion abt tcp flags and tcp mask in signatures

sebastan_bach — Sun, 10 Mar 2019 10:23:03 GMT

hi all can someone pls tell me what is the difference between tcp flags and tcp mask in the signatures.

as far as i understood is that tcp flags are the bits which need to be present in the tcp packet for the signature to match. then why the tcp mask how it uses the tcp masks.

i am really little confused abt the same.

can someone pls help me out.

regards

sebastan

Re: confusion abt tcp flags and tcp mask in signatures

mhellman — Wed, 20 Dec 2006 14:34:33 GMT

tcp mask is the relevant bits that you want to check. Of those that you want to check, the tcp flags are the ones that must be set.

This allows you to ignore whether some bits set or not.

Re: confusion abt tcp flags and tcp mask in signatures

scothrel — Wed, 20 Dec 2006 19:31:18 GMT

Correct.

PData AND Mask =? Flags is the operation being checked. PData is the data from the packet, bitwise AND with tcp_mask and compare to tcp_flags. The result is TRUE if the comparison is EQUAL.

Re: confusion abt tcp flags and tcp mask in signatures

sebastan_bach — Thu, 21 Dec 2006 09:45:54 GMT

hi u mean to say in the tcp flags are the flags which need to be present in the tcp packet for the signature to be matched.

and in the mask field are the bits which needs t be checked .

example in the tcp flags say i set syn and fin bit. and in the mask field i only set the fin bit.

now when the tcp packet has both the syn and fin bits will the signature be fired.

or the signature will be fired only if the tcp packet is having the fin bit.

can u pls clear my doubt regarding the same.

waiting for ur reply.

regards

sebastan

Re: confusion abt tcp flags and tcp mask in signatures

mhellman — Thu, 21 Dec 2006 14:39:04 GMT

"example in the tcp flags say i set syn and fin bit. and in the mask field i only set the fin bit."

"now when the tcp packet has both the syn and fin bits will the signature be fired."

the signature _might_ fire, but I wonder if you understand the settings? You essentially said:

"i only care about the fin flag" (mask)

"make sure the syn and fin flags are set" (flags)

Based on my understanding the tcp flags should always be a subset of the mask. remember, your saying "of these flags (mask), make sure only these are set(flags)". The IPS software does allow you to make the selection though and I'm not sure what it does. Based on scothrel's earlier response, it should not fire the alarm:

0 0 0 0 0 0 0 1 (mask)

0 0 0 0 0 0 1 1 (pdata)

---------------

0 0 0 0 0 0 0 1

0 0 0 0 0 0 1 1 (flags)