Chapter 15 Unified Threat Management for FortiOS 5.0 : Custom Application & IPS Signatures : Custom signature keywords : TCP header keywords : tcp_flags
  
tcp_flags
Syntax: --tcp_flags <SAFRUP120>[!|*|+] [,<SAFRUP120>];
Description:
Specify the TCP flags to match in a packet.
S: Match the SYN flag.
A: Match the ACK flag.
F: Match the FIN flag.
R: Match the RST flag.
U: Match the URG flag.
P: Match the PSH flag.
1: Match Reserved bit 1.
2: Match Reserved bit 2.
0: Match No TCP flags set.
!: Match if the specified bits are not set.
*: Match if any of the specified bits are set.
+: Match on the specified bits, plus any others.
The first part if the value (<SAFRUP120>) defines the bits that must be present for a successful match.
Example:
--tcp_flags AP only matches the case where both A and P bits are set.
The second part ([,<SAFRUP120>]) is optional, and defines the additional bits that can be present for a match.
For example tcp_flags S,12 matches the following combinations of flags: S, S and 1, S and 2, S and 1 and 2. The modifiers !, * and + cannot be used in the second part.