Correct.

PData AND Mask =? Flags is the operation being checked. PData is the data from the packet, bitwise AND with tcp_mask and compare to tcp_flags. The result is TRUE if the comparison is EQUAL.

hi u mean to say in the tcp flags are the flags which need to be present in the tcp packet for the signature to be matched.

and in the mask field are the bits which needs t be checked .

example in the tcp flags say i set syn and fin bit. and in the mask field i only set the fin bit.

now when the tcp packet has both the syn and fin bits will the signature be fired.

or the signature will be fired only if the tcp packet is having the fin bit.

can u pls clear my doubt regarding the same.

waiting for ur reply.

regards

sebastan

"example in the tcp flags say i set syn and fin bit. and in the mask field i only set the fin bit."

"now when the tcp packet has both the syn and fin bits will the signature be fired."

the signature _might_ fire, but I wonder if you understand the settings? You essentially said:

"i only care about the fin flag" (mask)

"make sure the syn and fin flags are set" (flags)

Based on my understanding the tcp flags should always be a subset of the mask. remember, your saying "of these flags (mask), make sure only these are set(flags)". The IPS software does allow you to make the selection though and I'm not sure what it does. Based on scothrel's earlier response, it should not fire the alarm:

0 0 0 0 0 0 0 1 (mask)

0 0 0 0 0 0 1 1 (pdata)

---------------

0 0 0 0 0 0 0 1

0 0 0 0 0 0 1 1 (flags)