Pseries Installation Guide
P-Series Installation and Operation Guide, version 2.3.1.2 119
Table 28 describes briefly the valid Snort keywords supported on the P-Series. For a more detailed
explanation for these keywords, see the Snort website at http://www.snort.org/docs/snort_manual/
node17.html.
Appendix B Snort Keywords
Table 28 Description of P-Series Snort Keywords
Keyword Description Rule Syntax
ack Checks for a specific TCP acknowledgment number.
number is a reference to a previously transmitted
sequence number that is being acknowleged.
ack: number;
content Specifies the content within the packet payload for which
the rule is to search.
data_string can contain mixed text and binary data.
Binary data is enclosed within pipe characters and is
written in hexadecimal form.
content: [!] "data_string";
dsize Inspects the packet payload size.
number is the payload size in bytes.
dsize: [>|<] number [>|<number];
flags Checks for the presence of the specified TCP flag bits.
Valid flag bits include:
• F: FIN (Least Significant Bit (LSB) in the TCP Flags
byte)
• S: SYN
• R: RST
• P: PSH
• A: ACK
• U: URG
• 1: Reserved bit 1 (Most Significant Bit (MSB) in TCP
Flags byte)
• 2: Reserved bit 2
• 0: No TCP Flags Set
The following modifiers change the match criteria:
• +: Match on the specified bits, plus any others.
• *: Match if any of the specified bits are set.
• !: Match if the specified bits are not set.
flags:[!|*|+] {F|S|R|P|A|U|
1|2|0}
[,{F|S|R|P|A|U|1|2|0}];