Page 506 / 944
Scroll up to view Page 501 - 505
Chapter 30 IDP
ZyWALL USG 50 User’s Guide
506
30.8.2
Custom Signature Example
Before creating a custom signature, you must first clearly understand the
vulnerability.
30.8.2.1
Understand the Vulnerability
Check the ZyWALL logs when the attack occurs. Use web sites such as Google or
Security Focus to get as much information about the attack as you can. The more
specific your signature, the less chance it will cause false positives.
As an example, say you want to check if your router is being overloaded with DNS
queries so you create a signature to detect DNS query traffic.
OK
Click this button to save your changes to the ZyWALL and return to
the summary screen.
Cancel
Click this button to return to the summary screen without saving any
changes.
Table 151
Configuration > Anti-X > IDP > Custom Signatures > Add/Edit (continued)
LABEL
DESCRIPTION
Page 507 / 944
Chapter 30 IDP
ZyWALL USG 50 User’s Guide
507
30.8.2.2
Analyze Packets
Use the packet capture screen (see
Section 48.3 on page 750
) and a packet
analyzer (also known as a network or protocol analyzer) such as Wireshark or
Ethereal to investigate some more.
Figure 299
DNS Query Packet Details
From the details about DNS query you see that the protocol is UDP and the port is
53. The type of DNS packet is standard query and the Flag is 0x0100 with an
offset of 2. Therefore enter |010| as the first pattern.
Page 508 / 944
Chapter 30 IDP
ZyWALL USG 50 User’s Guide
508
The final custom signature should look like as shown in the following figure.
Figure 300
Example Custom Signature
30.8.3
Applying Custom Signatures
After you create your custom signature, it becomes available in the IDP service
group category in the
Configuration > Anti-X > IDP > Profile > Edit
screen.
Custom signatures have an SID from 9000000 to 9999999.
Page 509 / 944
Chapter 30 IDP
ZyWALL USG 50 User’s Guide
509
You can activate the signature, configure what action to take when a packet
matches it and if it should generate a log or alert in a profile. Then bind the profile
to a zone.
Figure 301
Example: Custom Signature in IDP Profile
30.8.4
Verifying Custom Signatures
Configure the signature to create a log when traffic matches the signature. (You
may also want to configure an alert if it is for a serious attack and needs
immediate attention.) After you apply the signature to a zone, you can see if it
works by checking the logs (
Monitor > Log
).
The
Priority
column shows
warn
for signatures that are configured to generate a
log only. It shows
critical
for signatures that are configured to generate a log and
alert. All IDP signatures come under the
IDP
category. The
Note
column displays
ACCESS FORWARD
when no action is configured for the signature. It displays
ACCESS DENIED
if you configure the signature action to drop the packet. The
Page 510 / 944
Chapter 30 IDP
ZyWALL USG 50 User’s Guide
510
destination port is the service port (53 for DNS in this case) that the attack tries to
exploit.
Figure 302
Custom Signature Log
30.9
IDP Technical Reference
This section contains some background information on IDP.
Host Intrusions
The goal of host-based intrusions is to infiltrate files on an individual computer or
server in with the goal of accessing confidential information or destroying
information on a computer.
You must install a host IDP directly on the system being protected. It works
closely with the operating system, monitoring and intercepting system calls to the
kernel or APIs in order to prevent attacks as well as log them.
Disadvantages of host IDPs are that you have to install them on each device (that
you want to protect) in your network and due to the necessarily tight integration
with the host operating system, future operating system upgrades could cause
problems.
19216811.live