This example checks if just the SYN and the FIN bits are set, ignoring CWR (reserved bit 1) and ECN (reserved bit 2).
alert tcp any any -> any any (flags:SF,CE;)
The reserved bits '1' and '2' have been replaced with 'C' and 'E', respectively,
to match RFC 3168, "The Addition of Explicit Congestion Notification (ECN) to IP".
The old values of '1' and '2' are still valid for the flag keyword, but
are now deprecated.
Note: