Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

confusion abt tcp flags and tcp mask in signatures

hi all can someone pls tell me what is the difference between tcp flags and tcp mask in the signatures.

as far as i understood is that tcp flags are the bits which need to be present in the tcp packet for the signature to match. then why the tcp mask how it uses the tcp masks.

i am really little confused abt the same.

can someone pls help me out.

regards

sebastan

4 REPLIES
Gold

Re: confusion abt tcp flags and tcp mask in signatures

tcp mask is the relevant bits that you want to check. Of those that you want to check, the tcp flags are the ones that must be set.

This allows you to ignore whether some bits set or not.

Cisco Employee

Re: confusion abt tcp flags and tcp mask in signatures

Correct.

PData AND Mask =? Flags is the operation being checked. PData is the data from the packet, bitwise AND with tcp_mask and compare to tcp_flags. The result is TRUE if the comparison is EQUAL.

New Member

Re: confusion abt tcp flags and tcp mask in signatures

hi u mean to say in the tcp flags are the flags which need to be present in the tcp packet for the signature to be matched.

and in the mask field are the bits which needs t be checked .

example in the tcp flags say i set syn and fin bit. and in the mask field i only set the fin bit.

now when the tcp packet has both the syn and fin bits will the signature be fired.

or the signature will be fired only if the tcp packet is having the fin bit.

can u pls clear my doubt regarding the same.

waiting for ur reply.

regards

sebastan

Gold

Re: confusion abt tcp flags and tcp mask in signatures

"example in the tcp flags say i set syn and fin bit. and in the mask field i only set the fin bit."

"now when the tcp packet has both the syn and fin bits will the signature be fired."

the signature _might_ fire, but I wonder if you understand the settings? You essentially said:

"i only care about the fin flag" (mask)

"make sure the syn and fin flags are set" (flags)

Based on my understanding the tcp flags should always be a subset of the mask. remember, your saying "of these flags (mask), make sure only these are set(flags)". The IPS software does allow you to make the selection though and I'm not sure what it does. Based on scothrel's earlier response, it should not fire the alarm:

0 0 0 0 0 0 0 1 (mask)

0 0 0 0 0 0 1 1 (pdata)

---------------

0 0 0 0 0 0 0 1

0 0 0 0 0 0 1 1 (flags)

524
Views
5
Helpful
4
Replies
CreatePlease to create content