Zyxel ZyWALL-USG50 Router Manual PDF (Setup & Configuration Guide)

Page 496 / 944 Scroll up to view Page 491 - 495

Chapter 30 IDP

ZyWALL USG 50 User’s Guide

496

•

Actions: Any

Figure 294

Query Example Search Criteria

Figure 295

Query Example Search Results

Page 497 / 944

Chapter 30 IDP

ZyWALL USG 50 User’s Guide

497

30.7

Introducing IDP Custom Signatures

Create custom signatures for new attacks or attacks peculiar to your network.

Custom signatures can also be saved to/from your computer so as to share with

others.

You need some knowledge of packet headers and attack types to create your own

custom signatures.

30.7.1

IP Packet Header

These are the fields in an Internet Protocol (IP) version 4 packet header.

Figure 296

IP v4 Packet Headers

The header fields are discussed below:

Table 149

IP v4 Packet Headers

HEADER

DESCRIPTION

Version

The value 4 indicates IP version 4.

IHL

IP Header Length is the number of 32 bit words forming the total

length of the header (usually five).

Type of Service

The Type of Service, (also known as Differentiated Services Code

Point (DSCP)) is usually set to 0, but may indicate particular

quality of service needs from the network.

Total Length

This is the size of the datagram in bytes. It is the combined length

of the header and the data.

Identification

This is a 16-bit number, which together with the source address,

uniquely identifies this packet. It is used during reassembly of

fragmented datagrams.

Flags

Flags are used to control whether routers are allowed to fragment

a packet and to indicate the parts of a packet to the receiver.

Fragment Offset

This is a byte count from the start of the original sent packet.

Page 498 / 944

Chapter 30 IDP

ZyWALL USG 50 User’s Guide

498

30.8

Configuring Custom Signatures

Select

Configuration > Anti-X > IDP >

Custom Signature

s. The first screen

shows a summary of all custom signatures created. Click the

SID

or

Name

heading to sort. Click the

Add

icon to create a new signature or click the

Edit

icon

to edit an existing signature. You can also delete custom signatures here or save

them to your computer.

Time To Live

This is a counter that decrements every time it passes through a

router. When it reaches zero, the datagram is discarded. It is used

to prevent accidental routing loops.

Protocol

The protocol indicates the type of transport packet being carried,

for example, 1 = ICMP; 2= IGMP; 6 = TCP; 17= UDP.

Header Checksum

This is used to detect processing errors introduced into the packet

inside a router or bridge where the packet is not protected by a link

layer cyclic redundancy check. Packets with an invalid checksum

are discarded by all nodes in an IP network.

Source IP Address

This is the IP address of the original sender of the packet.

Destination IP

Address

This is the IP address of the final destination of the packet.

Options

IP options is a variable-length list of IP options for a datagram that

define IP

Security Option, IP Stream Identifier

, (security and

handling restrictions for the military),

Record Route

(have each

router record its IP address),

Loose Source Routing

(specifies a

list of IP addresses that must be traversed by the datagram),

Strict Source Routing

(specifies a list of IP addresses that must

ONLY be traversed by the datagram),

Timestamp

(have each

router record its IP address and time),

End of IP List

and

No IP

Options

.

Padding

Padding is used as a filler to ensure that the IP packet is a multiple

of 32 bits.

Table 149

IP v4 Packet Headers

(continued)

HEADER

DESCRIPTION

Page 499 / 944

Chapter 30 IDP

ZyWALL USG 50 User’s Guide

499

Note: The ZyWALL checks all signatures and continues searching even after a match

is found. If two or more rules have conflicting actions for the same packet, then

the ZyWALL applies the more restrictive action (

reject-both, reject-receiver or

reject-sender, drop, none

in this order). If a packet matches a rule for

reject-

receiver

and it also matches a rule for

reject-sender

, then the ZyWALL will

reject-both

.

Figure 297

Configuration > Anti-X > IDP > Custom Signatures

The following table describes the fields in this screen.

Table 150

Configuration > Anti-X > IDP > Custom Signatures

LABEL

DESCRIPTION

Custom

Signature

Rules

Use this part of the screen to create, edit, delete or export (save to your

computer) custom signatures.

Add

Click this to create a new entry.

Edit

Select an entry and click this to be able to modify it.

Remove

Select an entry and click this to delete it.

Activate

To turn on an entry, select it and click

Activate

.

Export

To save an entry or entries as a file on your computer, select them and

click

Export

. Click

Save

in the file download dialog box and then select a

location and name for the file.

Custom signatures must end with the ‘rules’ file name extension, for

example, MySig.rules.

#

This is the entry’s index number in the list.

SID

SID is the signature ID that uniquely identifies a signature. Click the SID

header to sort signatures in ascending or descending order. It is

automatically created when you click the

Add

icon to create a new

signature. You can edit the ID, but it cannot already exist and it must be

in the 9000000 to 9999999 range.

Name

This is the name of your custom signature. Duplicate names can exist,

but it is advisable to use unique signature names that give some hint as

to intent of the signature and the type of attack it is supposed to prevent.

Page 500 / 944

Chapter 30 IDP

ZyWALL USG 50 User’s Guide

500

30.8.1

Creating or Editing a Custom Signature

Click the

Add

icon to create a new signature or click the

Edit

icon to edit an

existing signature in the screen as shown in

Figure 297 on page 499

.

A packet must match all items you configure in this screen before it matches the

signature. The more specific your signature (including packet contents), then the

fewer false positives the signature will trigger.

Customer

Signature Rule

Importing

Use this part of the screen to import custom signatures (previously saved

to your computer) to the ZyWALL.

Note: The name of the complete custom signature file on the

ZyWALL is ‘custom.rules’. If you import a file named

‘custom.rules’, then all custom signatures on the ZyWALL are

overwritten with the new file. If this is not your intention, make

sure that the files you import are not named ‘custom.rules’.

File Path

Type the file path and name of the custom signature file you want to

import in the text box (or click

Browse

to find it on your computer) and

then click

Import

to transfer the file to the ZyWALL.

New signatures then display in the ZyWALL

IDP > Custom Signatures

screen.

Table 150

Configuration > Anti-X > IDP > Custom Signatures (continued)

LABEL

DESCRIPTION

Rate

Popular Zyxel Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share