TCP flag values

**elovkoff** · 02-25-2002, 06:27 PM

Is there any source where tcp flag values are listed.
I'm dealing woth snort rules and I think it would be nice to know what A+ and other TCP values are......

**Feztaa** · 02-25-2002, 07:43 PM

http://linux.oreillynet.com/pub/a/li...tools_two.html might help a bit (scroll down)

**andrzej** · 02-26-2002, 03:05 PM

RFC 793

http://www.faqs.org/rfcs/rfc793.html

**elovkoff** · 02-26-2002, 03:56 PM

THanks guys. Those flags are quite familiar. The reason I'm asking this question is that I took a look at the rules that snort IDS processes and there is an entry in the rule that looks like this:
(msg:"PORN free XXX"; content:"FREE XXX"; nocase; flags:A+; classtype:kickass-porn; sid:1310; rev:1

Please notice the flags:A+; part - flags are TCP flags A+ looks like a value...I was thinking that there are a bunch of tcp flag values that I'm not aware of, like A+
Do you have any idea what the A+ is?
thx.

**xkill** · 03-01-2002, 10:41 AM

The A means Ack, and the + means match on all specified flags plus any others. *You can find out more here
http://www.snort.org/docs/writing_ru...#tth_sEc2.3.13