First of all, note that the data set is flawed and should not be used (KDNuggets statement). Roughtly said for two reasons: A) it is not at all realistic, in particular not for modern attacks (heck, not even for real attacks back in 1998!) - todays, most attacks are SQL injection and password theft via trojans, neither of which will be detectable with this kind of data. B) the data set is focused around attacks, so it consists of attacks with some background noise; while actual traffic will be largely data and some attacks and C) it was simulated with a largely virtual network, and you can detect the "attacks" by the simulated network topology only.
Judging from the documentation of the usual preprocessed version, the flags is a derived value of the connection state, i.e. whether the reply to the connection attempt was a TCP REJ, TCP RST etc.