Specifies certain values and options existing within packet
headers. These parameters are different for different protocols. In
a custom attack definition, you can specify fields for only one of
the following protocols—TCP, UDP, or ICMP. Although, you can
define IP protocol fields with TCP or UDP in a custom attack definition.
Note:
Header parameters can be defined only for attack objects that
use a packet or first packet context. If you specified a line, stream,
stream 256, or a service context you cannot specify header parameters.
If you are unsure of the options or flag settings for the malicious
packet, leave all fields blank and IDP attempts to match the signature
for all header contents. For each value you specify, you must specify
the relational or equality operator. Table 101 lists attack header match
operands.
Table 101: Attack Header Match Operands
Operand
Description
==
Is equal to
!=
Is not equal to
<
Is greater than
>
Is less than
Additionally, for each flag you must specify a flag setting
with none (flag not configured), set (flag is set),
or unset (flag is not set).
Table 102 displays fields
and flags that you can set for attacks that use the IP protocol.
Table 102: IP Protocol Fields and Flags
Field
Description
Type of Service
Specify an operand and a value for the service type. Common
service types are:
0000 Default
0001 Minimize Cost
0002 Maximize Reliability
0003 Maximize Throughput
0004 Minimize Delay
0005 Maximize Security
Total Length
Specify an operand and a value for the number of bytes in the
packet, including all header fields and the data payload.
ID
Specify an operand and a value for the unique value used by
the destination system to reassemble a fragmented packet.
Time to Live
Specify an operand and an integer value in the range of 0–255
for the time-to-live (TTL) value of the packet. This value represents
the number of devices the packet can traverse. Each router that processes
the packet decrements the TTL by 1; when the TTL reaches
0, the packet is discarded.
Protocol
Specify an operand and a value for the protocol used.
Source
Enter the source address of the attacking device.
Destination
Enter the destination address of the attack target.
Reserved Bit
This bit is not used.
More Fragments
When set (1), this option indicates that the packet
contains more fragments. When unset (0), it indicates that
no more fragments remain.
Don’t Fragment
When set (1), this option indicates that the packet
cannot be fragmented for transmission.
Table 103 displays packet
header fields and flags that you can set for attacks that use the
TCP protocol.
Table 103: TCP Header Fields and Flags
Field
Description
Source Port
Specify an operand and a value for the port number on the attacking
device.
Destination Port
Specify an operand and a value for the port number of the attack
target.
Sequence Number
Specify an operand and a value for the sequence number of the
packet. This number identifies the location of the data in relation
to the entire data sequence.
ACK Number
Specify an operand and a value for the ACK number of the packet.
This number identifies the next sequence number; the ACK flag must
be set to activate this field.
Header Length
Specify an operand and a value for the number of bytes in the
TCP header.
Data Length
Specify an operand and a value for the number of bytes in the
data payload. For SYN, ACK, and FIN packets, this field should be
empty.
Window Size
Specify an operand and a value for the number of bytes in the
TCP window size.
Urgent Pointer
Specify an operand and a value for the urgent pointer. The value
indicates that the data in the packet is urgent; the URG flag must
be set to activate this field.
URG
When set, the urgent flag indicates that the packet data is
urgent.
ACK
When set, the acknowledgment flag acknowledges receipt of a
packet.
PSH
When set, the push flag indicates that the receiver should push
all data in the current sequence to the destination application (identified
by the port number) without waiting for the remaining packets in the
sequence.
RST
When set, the reset flag resets the TCP connection, discarding
all packets in an existing sequence.
SYN
When set, the SYN flag indicates a request for a new session.
FIN
When set, the final flag indicates that the packet transfer
is complete and the connection can be closed.
R1
This reserved bit (1 of 2) is not used.
R2
This reserved bit (2 of 2) is not used.
Table 104 displays packet
header fields and flags that you can set for attacks that use the
UDP protocol.
Table 104: UDP Header Fields and Flags
Field
Description
Source Port
Specify an operand and a value for the port number on the attacking
device.
Destination Port
Specify an operand and a value for the port number of the attack
target.
Data Length
Specify an operand and a value for the number of bytes in the
data payload.
Table 105 displays packet
header fields and flags that you can set for attacks that use the
ICMP protocol.
Table 105: ICMP Header Fields and Flags
Field
Description
ICMP Type
Specify an operand and a value for the primary code that identifies
the function of the request or reply packet.
ICMP Code
Specify an operand and a value for the secondary code that identifies
the function of the request or reply packet within a given type.
Sequence Number
Specify an operand and a value for the sequence number of the
packet. This number identifies the location of the request or reply
packet in relation to the entire sequence.
ICMP ID
Specify an operand and a value for the identification number.
The identification number is a unique value used by the destination
system to associate request and reply packets.
Data Length
Specify an operand and a value for the number of bytes in the
data payload.
