Reference for TCP Flags in suricata flow event

00willo · March 20, 2022, 8:18pm

Any idea where I can find a lookup table that details the meanings of these tcp_flags? I’m trying to determine the meaning of 1f that is showing up in quite a few events. Here is a snippet of the code event:

"tcp":{"tcp_flags":"1f","tcp_flags_ts":"1f","tcp_flags_tc":"1b","syn":true,"fin":true,"rst":true,"psh":true,"ack":true,"state":"time_wait"}}

The closest I’d been able to find were a couple of github repos that contain basically the same same csv file, such as this stamus_for_splunk/suricata_tcp_flag.csv at master · StamusNetworks/stamus_for_splunk · GitHub. However it does not contain the 1f code.

I’ve seen this to two separate networks, one utilises VLANs in what the the suricata host is capturing, the other does not. I’m running suricata 6.0.4 installed from the official rpm repos.

Andreas_Herz · March 21, 2022, 9:42pm

Well 1f would stand for ACK-PSH-RST-SYN-FIN (1f is 00011111).
See Transmission Control Protocol - Wikipedia

This also matches the flags mentioned as true in your output.

00willo · March 23, 2022, 3:58am

Ah, of course. I was looking all over the suricata documentation thinking it was your own representation of that.

Great, I’ll also look at putting in a PR on the splunk TA to add that and any other combinations that may be missing.

Topic		Replies	Views
The TCP flag in the suricata output file(eve.json) does not match the actual situation Help suricata	2	289	March 13, 2024
For TCP flow "FLOW" events does not show "Closed" state ;Alert shows FIN event though Help community	0	680	January 6, 2021
Rule 2210008 - help interpreting results Rules	6	1160	September 24, 2020
Generic Protocol Command Decode Help	13	14851	March 13, 2021
How to ignore FIN,ACK flag Rules rules	1	724	December 27, 2021

Reference for TCP Flags in suricata flow event

Related topics