0

I wrote the following rules:

alert tcp any any -> 192.168.6.4 any (msg:"SYN"; flags: S;)
alert tcp any any -> 192.168.6.4 any (msg:"FIN"; flags: F;)

The SYN rule is matching. The FIN isn't. I can't find a part in their documentation for TCP Flags.

I want to detect packets, where the SYN,FIN,PSH,ACK flags are set. How do I do that?

flippie
  • 3
  • 2

1 Answers1

0
alert tcp any any -> 192.168.6.4 any (msg:"FIN"; flags: F;)

flags: F matches packets where the flag is exactly FIN.
But if you want to match the end of the connection you usually encounter packets which have both FIN and ACK set - so your rule does not match. To match packets where at least FIN is set but other flags might be set to use flags: F+.

I want to detect packets, where the SYN,FIN,PSH,ACK flags are set. How do I do that?

To match exactly this combination use flags: SFPA

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • excerpt from a packet: "tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} Tried it with: alert tcp any any -> 192.168.6.4 any (msg:"test"; Flags: SF+;) But it does not match. – flippie Dec 21 '20 at 12:24
  • @flippie: Works for me. I have no idea what you are doing different. But [here](https://filebin.ca/5lW7uQCegy1J/files.tgz) you can find the setup I've used, i.e. the suricata.rules, the pcap file and the eve.json with the alerts. Tested with suricata 6.0.1. – Steffen Ullrich Dec 21 '20 at 15:10
  • Thank you a lot for the files. I will check them out to see, what the problem is. – flippie Dec 21 '20 at 19:11