Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
391
Views
0
Helpful
2
Replies

IDS Signature configuration - Using masks and Flags

m.mohanasundaram
Level 1
Level 1

‎06-23-2005 10:51 PM - edited ‎03-10-2019 01:30 AM

Hi all,

It is not clear to me on how to use "mask" and "flags" while editing a signature on IDM. In the wizad, I have the option to select the TCP flags to either fire (TRUE)or NOT to fire (FALSE) the alarm or ignore (Don't Care)the flag. Can someone explain how the mask is used? My understanding about them is;

Mask tells the sensor what flags to monitor. Other flags are ignored.

TcpFlag tells the sensor to fire the alarm, if that particular flag is set.

Say for example; I select SYN and ACK in the mask and only SYN in the TcpFlag. This means, the signature will fire only if SYN is set in the packet. If ACK is also set in addition to SYN, then the sig will not fire. This is equal to setting the SYN to TRUE; ACK to False and all other flags to DON'T Care. Am I correct?

Thanks in advance,

Mohan

Labels:
0 Helpful
2 Replies 2

marcabal
Cisco Employee
Cisco Employee

‎06-24-2005 09:01 AM

You are correct.

By setting Mask to SYN and ACK it will ignore the other flags.

By setting TcpFlag to SYN the signature will trigger if the packet has a SYN, but will not fire if it also has an ACK.

So a SYN packet will trigger it.

A SYN ACK packet will Not.

An ACK packet will Not.

A RST packet will Not.

etc..

However, be aware that a SYN with a combination of any other flag besides ACK WILL trigger it.

So a SYN RST will trigger it.

A SYN FIN will trigger it.

A SYN RST FIN PSH will trigger it.

etc...

This is because the signature will only look to ensure the SYN is present and the ACK is not present.

So the signature will trigger on a traditional SYN to open a connection, but will also trigger on these other weird combinations that are not part of a normal TCP connection.

So if you want to limit it to firing only on real SYN packets, then go ahead and list all the flags in the Mask and only SYN in the TcpFlags. This will ensure the signature triggers on only packets with the single SYN flag.

0 Helpful

m.mohanasundaram
Level 1
Level 1
In response to marcabal

‎06-24-2005 11:10 PM

Perfect!!!!

Thank you marcabal. This is exactly my understanding.

Regards,

Mohan

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card