1. Home
    2. /
  2. Manuals
    3. /
  3. Zyxel
    4. /
  4. ZyWALL-USG50
    5. /
  5. 99
Page 491 / 944 Scroll up to view Page 486 - 490
Chapter 30 IDP
ZyWALL USG 50 User’s Guide
491
30.6.3
IDP Service Groups
An IDP service group is a set of related packet inspection signatures.
Scan
A scan describes the action of searching a network for an exposed
service. An attack may then occur once a vulnerability has been
found. Scans occur on several network levels.
A network scan occurs at layer-3. For example, an attacker looks for
network devices such as a router or server running in an IP network.
A scan on a protocol is commonly referred to as a layer-4 scan. For
example, once an attacker has found a live end system, he looks for
open ports.
A scan on a service is commonly referred to a layer-7 scan. For
example, once an attacker has found an open port, say port 80 on a
server, he determines that it is a HTTP service run by some web
server application. He then uses a web vulnerability scanner (for
example, Nikto) to look for documented vulnerabilities.
Buffer Overflow
A buffer overflow occurs when a program or process tries to store
more data in a buffer (temporary data storage area) than it was
intended to hold. The excess information can overflow into adjacent
buffers, corrupting or overwriting the valid data held in them.
Intruders could run codes in the overflow buffer region to obtain
control of the system, install a backdoor or use the victim to launch
attacks on other devices.
Virus/Worm
A computer virus is a small program designed to corrupt and/or alter
the operation of other legitimate programs. A worm is a program that
is designed to copy itself from one computer to another on a network.
A worm’s uncontrolled replication consumes system resources, thus
slowing or stopping other tasks.
Backdoor/Trojan
A backdoor (also called a trapdoor) is hidden software or a hardware
mechanism that can be triggered to gain access to a program, online
service or an entire computer system. A Trojan horse is a harmful
program that is hidden inside apparently harmless programs or data.
Although a virus, a worm and a Trojan are different types of attacks,
they can be blended into one attack. For example, W32/Blaster and
W32/Sasser are blended attacks that feature a combination of a
worm and a Trojan.
Access Control
Access control refers to procedures and controls that limit or detect
access. Access control attacks try to bypass validation checks in order
to access network resources such as servers, directories, and files.
Web Attack
Web attacks refer to attacks on web servers such as IIS (Internet
Information Services).
Table 146
Policy Types (continued)
POLICY TYPE
DESCRIPTION
Table 147
IDP Service Groups
WEB_PHP
WEB_MISC
WEB_IIS
WEB_FRONTPAGE
WEB_CGI
WEB_ATTACKS
TFTP
TELNET
Page 492 / 944
Chapter 30 IDP
ZyWALL USG 50 User’s Guide
492
The following figure shows the WEB_PHP service group that contains signatures
related to attacks on web servers using PHP exploits. PHP (PHP: Hypertext
Preprocessor) is a server-side HTML embedded scripting language that allows web
developers to build dynamic websites.
Logs and actions applied to a service group apply to all signatures within that
group. If you select
original setting
for service group logs and/or actions, all
signatures within that group are returned to their last-saved settings.
Figure 292
Configuration > Anti-X > IDP > Profile > Edit > IDP Service Group
SQL
SNMP
SMTP
RSERVICES
RPC
POP3
POP2
P2P
ORACLE
NNTP
NETBIOS
MYSQL
MISC_EXPLOIT
MISC_DDOS
MISC_BACKDOOR
MISC
IMAP
IM
ICMP
FTP
FINGER
DNS
Table 147
IDP Service Groups (continued)
Page 493 / 944
Chapter 30 IDP
ZyWALL USG 50 User’s Guide
493
30.6.4
Profile > Query View Screen
Click
Switch to query view
in the screen as shown in
Figure 291 on page 487
to
go to a signature query screen. In the query view screen, you can search for
signatures by criteria such as name, ID, severity, attack type, vulnerable attack
platforms, service category, log options or actions.
Figure 293
Configuration > Anti-X > IDP > Profile: Query View
The following table describes the fields specific to this screen’s query view.
Table 148
Configuration > Anti-X > IDP > Profile: Query View
LABEL
DESCRIPTION
Name
This is the name of the profile that you created in the
IDP > Profiles >
Group View
screen.
Switch to group
view
Click this button to go to the IDP profile group view screen where IDP
signatures are grouped by service and you can configure activation, logs
and/or actions.
Query
Signatures
Select the criteria on which to perform the search.
Search all
custom
signatures
Select this check box to search for signatures you created or imported in
the
Custom Signatures
screen. You can search by name or ID. If the
name and ID fields are left blank, then all custom signatures are
displayed.
Name
Type the name or part of the name of the signature(s) you want to find.
Signature
ID
Type the ID or part of the ID of the signature(s) you want to find.
Page 494 / 944
Chapter 30 IDP
ZyWALL USG 50 User’s Guide
494
Severity
Search for signatures by severity level(s). Hold down the [Ctrl] key if
you want to make multiple selections.
These are the severities as defined in the ZyWALL. The number in
brackets is the number you use if using commands.
Severe
(5): These denote attacks that try to run arbitrary code or gain
system privileges.
High
(4): These denote known serious vulnerabilities or attacks that are
probably not false alarms.
Medium
(3): These denote medium threats, access control attacks or
attacks that could be false alarms.
Low
(2): These denote mild threats or attacks that could be false
alarms.
Very-Low
(1): These denote possible attacks caused by traffic such as
Ping, trace route, ICMP queries etc.
Attack Type
Search for signatures by attack type(s) (see
Table 146 on page 490
).
Attack types are known as policy types in the group view screen. Hold
down the [Ctrl] key if you want to make multiple selections.
Platform
Search for signatures created to prevent intrusions targeting specific
operating system(s). Hold down the [Ctrl] key if you want to make
multiple selections.
Service
Search for signatures by IDP service group(s). See
Table 147 on page
491
for group details. Hold down the [Ctrl] key if you want to make
multiple selections.
Action
Search for signatures by the response the ZyWALL takes when a packet
matches a signature. See
Table 145 on page 488
for action details. Hold
down the [Ctrl] key if you want to make multiple selections.
Activation
Search for activated and/or inactivated signatures here.
Log
Search for signatures by log option here. See
Table 145 on page 488
for
option details.
Search
Click this button to begin the search. The results display at the bottom
of the screen. Results may be spread over several pages depending on
how broad the search criteria selected were. The tighter the criteria
selected, the fewer the signatures returned.
Query Result
The results are displayed in a table showing the
SID, Name, Severity,
Attack Type, Platform, Service, Activation, Log
, and
Action
criteria
as selected in the search. Click the
SID
column header to sort search
results by signature ID.
OK
Click
OK
to save your settings to the ZyWALL, complete the profile and
return to the profile summary page.
Cancel
Click
Cancel
to return to the profile summary page without saving any
changes.
Save
Click
Save
to save the configuration to the ZyWALL, but remain in the
same page. You may then go to the another profile screen (tab) in order
to complete the profile. Click
OK
in the final profile screen to complete
the profile.
Table 148
Configuration > Anti-X > IDP > Profile: Query View
(continued)
LABEL
DESCRIPTION
Page 495 / 944
Chapter 30 IDP
ZyWALL USG 50 User’s Guide
495
30.6.5
Query Example
This example shows a search with these criteria:
Severity: severe and high
Attack Type: DDoS
Platform: Windows 2000 and Windows XP computers
Service: Any

Rate

4.5 / 5 based on 2 votes.

Popular Zyxel Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top