I’m trying to write a signature that will check for any TCP SYN. So I have checked the contents of 0x02, which will then match any SYNs, but I have found that some stacks will include ECN or URGENT flags, in which case I would need to match on 0x02 or 0xc2 or 0x22. What’s the best way to write this ? I did look at bitwise, but that didn’t seem to meet my needs.
many thanks
(TCP flags below)
Flags: 0x002 (SYN)
000. … … = Reserved: Not set
…0 … … = Nonce: Not set
… 0… … = Congestion Window Reduced (CWR): Not set
… .0… … = ECN-Echo: Not set
… …0. … = Urgent: Not set
… …0 … = Acknowledgment: Not set
… … 0… = Push: Not set
… … .0… = Reset: Not set
… … …1. = Syn: Set
… … …0 = Fin: Not set
[TCP Flags: ··········S·]
I think the flags keyword can do what you wanted. Example from ET open: flags: S,12; which is equal to flags: S,EC;. This should match if only the SYN set, or SYN+ECN or SYN+CWR or SYN+both.
alert tcp $HOME_NET any -> $EXTERNAL_NET 3389 (msg:"ET SCAN Behavioral Unusually fast Terminal Server Traffic Potential Scan or Infection (Outbound)"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 20, seconds 360; reference:url,threatpost.com/en_us/blogs/new-worm-morto-using-rdp-infect-windows-pcs-082811; classtype:misc-activity; sid:2013479; rev:5; metadata:created_at 2011_08_29, former_category SCAN, updated_at 2017_05_11;)
