1. Home
    2. /
  2. Manuals
    3. /
  3. Zyxel
    4. /
  4. ZyWALL-USG50
    5. /
  5. 103
Page 511 / 944 Scroll up to view Page 506 - 510
Chapter 30 IDP
ZyWALL USG 50 User’s Guide
511
Network Intrusions
Network-based intrusions have the goal of bringing down a network or networks
by attacking computer(s), switch(es), router(s) or modem(s). If a LAN switch is
compromised for example, then the whole LAN is compromised. Host-based
intrusions may be used to cause network-based intrusions when the goal of the
host virus is to propagate attacks on the network, or attack computer/server
operating system vulnerabilities with the goal of bringing down the computer/
server. Typical “network-based intrusions” are SQL slammer, Blaster, Nimda
MyDoom etc.
Snort Signatures
You may want to refer to open source Snort signatures when creating custom
ZyWALL ones. Most Snort rules are written in a single line. Snort rules are divided
into two logical sections, the rule header and the rule options as shown in the
following example:
alert tcp any any -> 192.168.1.0/24 111 (content:”|00 01 a5|”;
msg:”mountd access”;)
The text up to the first parenthesis is the rule header and the section enclosed in
parenthesis contains the rule options. The words before the colons in the rule
options section are the option keywords.
The rule header contains the rule's:
• Action
• Protocol
Source and destination IP addresses and netmasks
Source and destination ports information.
The rule option section contains alert messages and information on which parts of
the packet should be inspected to determine if the rule action should be taken.
These are some equivalent Snort terms in the ZyWALL.
Table 152
ZyWALL - Snort Equivalent Terms
ZYWALL TERM
SNORT EQUIVALENT TERM
Type Of Service
tos
Identification
id
Fragmentation
fragbits
Fragmentation Offset
fragoffset
Time to Live
ttl
IP Options
ipopts
Page 512 / 944
Chapter 30 IDP
ZyWALL USG 50 User’s Guide
512
Note: Not all Snort functionality is supported in the ZyWALL.
Same IP
sameip
Transport Protocol
Transport Protocol: TCP
Port
(In Snort rule header)
Flow
flow
Flags
flags
Sequence Number
seq
Ack Number
ack
Window Size
window
Transport Protocol: UDP
(In Snort rule header)
Port
(In Snort rule header)
Transport Protocol: ICMP
Type
itype
Code
icode
ID
icmp_id
Sequence Number
icmp_seq
Payload Options
(Snort rule options)
Payload Size
dsize
Offset (relative to start of
payload)
offset
Relative to end of last match
distance
Content
content
Case-insensitive
nocase
Decode as URI
uricontent
Table 152
ZyWALL - Snort Equivalent Terms (continued)
ZYWALL TERM
SNORT EQUIVALENT TERM
Page 513 / 944
ZyWALL USG 50 User’s Guide
513
C
HAPTER
31
ADP
31.1
Overview
This chapter introduces ADP (Anomaly Detection and Prevention), anomaly
profiles and applying an ADP profile to a traffic direction. ADP protects against
anomalies based on violations of protocol standards (RFCs – Requests for
Comments) and abnormal flows such as port scans.
31.1.1
ADP and IDP Comparison
1
ADP anomaly detection is in general effective against abnormal behavior while IDP
packet inspection signatures are in general effective for known attacks (see
Chapter 30 on page 479
for information on packet inspection).
2
ADP traffic and anomaly rules are updated when you upload new firmware. This is
different from the IDP packet inspection signatures and the system protect
signatures you download from myZyXEL.com.
31.1.2
What You Can Do in this Chapter
• Use
Anti-X > ADP > General
(
Section 31.2 on page 515
) to turn anomaly
detection on or off and apply anomaly profiles to traffic directions.
• Use
Anti-X > ADP > Profile
(
Section 31.3 on page 516
) to add a new profile,
edit an existing profile or delete an existing profile.
31.1.3
What You Need To Know
Traffic Anomalies
Traffic anomaly rules look for abnormal behavior or events such as port scanning,
sweeping or network flooding. It operates at OSI layer-2 and layer-3. Traffic
anomaly rules may be updated when you upload new firmware.
Page 514 / 944
Chapter 31 ADP
ZyWALL USG 50 User’s Guide
514
Protocol Anomalies
Protocol anomalies are packets that do not comply with the relevant RFC (Request
For Comments). Protocol anomaly detection includes HTTP Inspection, TCP
Decoder, UDP Decoder and ICMP Decoder. Protocol anomaly rules may be updated
when you upload new firmware.
ADP Profile
An ADP profile is a set of traffic anomaly rules and protocol anomaly rules that you
can activate as a set and configure common log and action settings. You can apply
ADP profiles to traffic flowing from one zone to another.
Base ADP Profiles
Base ADP profiles are templates that you use to create new ADP profiles.The
ZyWALL comes with several base profiles. See
Table 154 on page 517
for details
on ADP base profiles.
ADP Policy
An ADP policy refers to application of an ADP profile to a traffic flow.
Finding Out More
See
Section 6.5.20 on page 103
for ADP prerequisites.
See
Chapter 30 on page 479
for IDP information.
See
Section 30.1.2 on page 479
for IDP-related term definitions.
See
Section 31.4 on page 525
for background information on these screens.
31.1.4
Before You Begin
Configure the ZyWALL’s zones - see
Chapter 15 on page 311
for more information.
Page 515 / 944
Chapter 31 ADP
ZyWALL USG 50 User’s Guide
515
31.2
The ADP General Screen
Click
Configuration > Anti-X > ADP > General
. Use this screen to turn
anomaly detection on or off and apply anomaly profiles to traffic directions.
Figure 303
Configuration > Anti-X > ADP > General
The following table describes the screens in this screen.
Table 153
Configuration > Anti-X > ADP > General
LABEL
DESCRIPTION
General Settings
Enable
Anomaly
Detection
Select this check box to enable traffic anomaly and protocol anomaly
detection.
Policies
Use this list to specify which anomaly profile the ZyWALL uses for
traffic flowing in a specific direction. Edit the policies directly in the
table.
Add
Click this to create a new entry. Select an entry and click
Add
to
create a new entry after the selected entry.
Edit
Select an entry and click this to be able to modify it.
Remove
Select an entry and click this to delete it.
Activate
To turn on an entry, select it and click
Activate
.
Inactivate
To turn off an entry, select it and click
Inactivate
.
Move
To change an entry’s position in the numbered list, select it and click
Move
to display a field to type a number for where you want to put
that entry and press [ENTER] to move the entry to the number that
you typed.
#
This is the entry’s index number in the list.
Priority
This is the rank in the list of anomaly profile policies. The list is
applied in order of priority.

Rate

4.5 / 5 based on 2 votes.

Popular Zyxel Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top