1. Home
    2. /
  2. Manuals
    3. /
  3. Zyxel
    4. /
  4. ZyWALL-USG50
    5. /
  5. 101
Page 501 / 944 Scroll up to view Page 496 - 500
Chapter 30 IDP
ZyWALL USG 50 User’s Guide
501
Try to write signatures that target a vulnerability, for example a certain type of
traffic on certain operating systems, instead of a specific exploit.
Figure 298
Configuration > Anti-X > IDP > Custom Signatures > Add/Edit
Page 502 / 944
Chapter 30 IDP
ZyWALL USG 50 User’s Guide
502
The following table describes the fields in this screen.
Table 151
Configuration > Anti-X > IDP > Custom Signatures > Add/Edit
LABEL
DESCRIPTION
Name
Type the name of your custom signature. You may use 1-31
alphanumeric characters, underscores(
_
), or dashes (-), but the first
character cannot be a number. This value is case-sensitive.
Duplicate names can exist but it is advisable to use unique signature
names that give some hint as to intent of the signature and the type
of attack it is supposed to prevent. Refer to (but do not copy) the
packet inspection signature names for hints on creating a naming
convention.
Signature ID
A signature ID is automatically created when you click the
Add
icon
to create a new signature. You can edit the ID to create a new one (in
the 9000000 to 9999999 range), but you cannot use one that already
exists. You may want to do that if you want to order custom
signatures by SID.
Information
Use the following fields to set general information about the
signature as denoted below.
Severity
The severity level denotes how serious the intrusion is. Categorize
the seriousness of the intrusion here. See
Table 145 on page 488
as a
reference.
Platform
Some intrusions target specific operating systems only. Select the
operating systems that the intrusion targets, that is, the operating
systems you want to protect from this intrusion. SGI refers to Silicon
Graphics Incorporated, who manufactures multi-user Unix
workstations that run the IRIX operating system (SGI's version of
UNIX). A router is an example of a network device.
Service
Select the IDP service group that the intrusion exploits or targets.
See
Table 147 on page 491
for a list of IDP service groups. The
custom signature then appears in that group in the
IDP > Profile >
Group View
screen.
Policy Type
Categorize the type of intrusion here. See
Table 146 on page 490
as
a reference.
Frequency
Recurring packets of the same type may indicate an attack. Use the
following field to indicate how many packets per how many seconds
constitute an intrusion
Threshold
Select
Threshold
and then type how many packets (that meet the
criteria in this signature) per how many seconds constitute an
intrusion.
Header Options
Network Protocol
Configure signatures for IP version 4.
Type Of Service
Type of service in an IP header is used to specify levels of speed and/
or reliability. Some intrusions use an invalid
Type Of Service
number. Select the check box, then select
Equal
or
Not-Equal
and
then type in a number.
Identification
The identification field in a datagram uniquely identifies the
datagram. If a datagram is fragmented, it contains a value that
identifies the datagram to which the fragment belongs. Some
intrusions use an invalid
Identification
number. Select the check
box and then type in the invalid number that the intrusion uses.
Page 503 / 944
Chapter 30 IDP
ZyWALL USG 50 User’s Guide
503
Fragmentation
A fragmentation flag identifies whether the IP datagram should be
fragmented, not fragmented or is a reserved bit. Some intrusions can
be identified by this flag. Select the check box and then select the
flag that the intrusion uses.
Fragmentation
Offset
When an IP datagram is fragmented, it is reassembled at the final
destination. The fragmentation offset identifies where the fragment
belongs in a set of fragments. Some intrusions use an invalid
Fragmentation Offset
number. Select the check box, select
Equal
,
Smaller
or
Greater
and then type in a number
Time to Live
Time to Live is a counter that decrements every time it passes
through a router. When it reaches zero, the datagram is discarded.
Usually it’s used to set an upper limit on the number of routers a
datagram can pass through. Some intrusions can be identified by the
number in this field. Select the check box, select
Equal
,
Smaller
or
Greater
and then type in a number.
IP Options
IP options is a variable-length list of IP options for a datagram that
define IP
Security Option, IP Stream Identifier
, (security and
handling restrictions for the military),
Record Route
(have each
router record its IP address),
Loose Source Routing
(specifies a list
of IP addresses that must be traversed by the datagram),
Strict
Source Routing
(specifies a list of IP addresses that must ONLY be
traversed by the datagram),
Timestamp
(have each router record
its IP address and time),
End of IP List
and
No IP Options
.
IP
Options
can help identify some intrusions. Select the check box,
then select an item from the list box that the intrusion uses
Same IP
Select the check box for the signature to check for packets that have
the same source and destination IP addresses.
Transport Protocol
The following fields vary depending on whether you choose
TCP
,
UDP
or
ICMP
.
Transport
Protocol: TCP
Port
Select the check box and then enter the source and destination TCP
port numbers that will trigger this signature.
Table 151
Configuration > Anti-X > IDP > Custom Signatures > Add/Edit (continued)
LABEL
DESCRIPTION
Page 504 / 944
Chapter 30 IDP
ZyWALL USG 50 User’s Guide
504
Flow
If selected, the signature only applies to certain directions of the
traffic flow and only to clients or servers. Select
Flow
and then select
the identifying options.
Established
: The signature only checks for established TCP
connections
Stateless
: The signature is triggered regardless of the state of the
stream processor (this is useful for packets that are designed to
cause devices to crash)
To Client
: The signature only checks for server responses from A to
B.
To Server
: The signature only checks for client requests from B to A.
From Client
:.The signature only checks for client requests from B to
A.
From Servers
: The signature only checks for server responses from
A to B.
No Stream
: The signature does not check rebuilt stream packets.
Only Stream
: The signature only checks rebuilt stream packets.
Flags
Select what TCP flag bits the signature should check.
Sequence
Number
Use this field to check for a specific TCP sequence number.
Ack Number
Use this field to check for a specific TCP acknowledgement number.
Window Size
Use this field to check for a specific TCP window size.
Transport
Protocol: UDP
Port
Select the check box and then enter the source and destination UDP
port numbers that will trigger this signature.
Transport
Protocol: ICMP
Type
Use this field to check for a specific ICMP type value.
Code
Use this field to check for a specific ICMP code value.
ID
Use this field to check for a specific ICMP ID value. This is useful for
covert channel programs that use static ICMP fields when they
communicate.
Sequence
Number
Use this field to check for a specific ICMP sequence number. This is
useful for covert channel programs that use static ICMP fields when
they communicate.
Payload Options
The longer a payload option is, the more exact the match, the faster
the signature processing. Therefore, if possible, it is recommended to
have at least one payload option in your signature.
Table 151
Configuration > Anti-X > IDP > Custom Signatures > Add/Edit (continued)
LABEL
DESCRIPTION
Page 505 / 944
Chapter 30 IDP
ZyWALL USG 50 User’s Guide
505
Payload Size
This field may be used to check for abnormally sized packets or for
detecting buffer overflows
.
Select the check box, then select
Equal
,
Smaller
or
Greater
and
then type the payload size.
Stream rebuilt packets are not checked regardless of the size of the
payload.
Add
Click this to create a new entry.
Edit
Select an entry and click this to be able to modify it.
Remove
Select an entry and click this to delete it.
#
This is the entry’s index number in the list.
Offset
This field specifies where to start searching for a pattern within a
packet. For example, an offset of 5 would start looking for the
specified pattern after the first five bytes of the payload.
Content
Type the content that the signature should search for in the packet
payload. Hexadecimal code entered between pipes is converted to
ASCII. For example, you could represent the ampersand as either &
or |26| (26 is the hexadecimal code for the ampersand).
Case-
insensitive
Select
Yes
if content casing does NOT matter.
Decode as URI
A Uniform Resource Identifier (URI) is a string of characters for
identifying an abstract or physical resource (RFC 2396). A resource
can be anything that has identity, for example, an electronic
document, an image, a service (“today's weather report for Taiwan”),
a collection of other resources. An identifier is an object that can act
as a reference to something that has identity. Example URIs are:
ftp://ftp.is.co.za/rfc/rfc1808.txt; ftp scheme for File Transfer Protocol
services
scheme for Hypertext Transfer Protocol services
mailto:[email protected]; mailto scheme for electronic mail
addresses
telnet://melvyl.ucop.edu/; telnet scheme for interactive services via
the TELNET Protocol
Select
Yes
for the signature to search for normalized URI fields. This
means that if you are writing signatures that includes normalized
content, such as %2 for directory traversals, these signatures will not
be triggered because the content is normalized out of the URI buffer.
For example, the URI:
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+ver
will get normalized into:
/winnt/system32/cmd.exe?/c+ver
Table 151
Configuration > Anti-X > IDP > Custom Signatures > Add/Edit (continued)
LABEL
DESCRIPTION

Rate

4.5 / 5 based on 2 votes.

Popular Zyxel Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top