ZyXEL ZyWALL ATP700 User Guide - Page 605
Threshold, Type Of Service, Equal, Not-Equal, Identification, Fragment Offset, Smaller, Greater
View all ZyXEL ZyWALL ATP700 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 605 highlights
Chapter 29 IDP The following table describes the fields in this screen. Table 236 Configuration > Security Service > IDP > Custom Signatures > Add/Edit LABEL DESCRIPTION Name Type the name of this custom signature. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. Signature ID Information Severity Platform Classification Type Frequency Threshold Header Options Network Protocol Type Of Service Identification Fragmentation Fragment Offset Time to Live Duplicate names can exist but it is advisable to use unique signature names that give some hint as to intent of the signature and the type of attack it is supposed to prevent. Refer to (but do not copy) the packet inspection signature names for hints on creating a naming convention. A signature ID is automatically created when you click the Add icon to create a new signature. You can edit the ID to create a new one (in the 9000000 to 9999999 range), but you cannot use one that already exists. You may want to do that if you want to order custom signatures by SID. Use the following fields to set general information about the signature as denoted below. The severity level denotes how serious the intrusion is. Categorize the seriousness of the intrusion here. Some intrusions target specific operating systems only. Select the operating systems that the intrusion targets, that is, the operating systems you want to protect from this intrusion. SGI refers to Silicon Graphics Incorporated, who manufactures multi-user Unix workstations that run the IRIX operating system (SGI's version of UNIX). A router is an example of a network device. Categorize the attack type here. See Table 233 on page 599 as a reference. Recurring packets of the same type may indicate an attack. Use the following field to indicate how many packets per how many seconds constitute an intrusion Select Threshold and then type how many packets (that meet the criteria in this signature) per how many seconds constitute an intrusion. Configure signatures for IP version 4. Type of service in an IP header is used to specify levels of speed and/or reliability. Some intrusions use an invalid Type Of Service number. Select the check box, then select Equal or Not-Equal and then type in a number. The identification field in a datagram uniquely identifies the datagram. If a datagram is fragmented, it contains a value that identifies the datagram to which the fragment belongs. Some intrusions use an invalid Identification number. Select the check box and then type in the invalid number that the intrusion uses. A fragmentation flag identifies whether the IP datagram should be fragmented, not fragmented or is a reserved bit. Some intrusions can be identified by this flag. Select the check box and then select the flag that the intrusion uses. When an IP datagram is fragmented, it is reassembled at the final destination. The fragmentation offset identifies where the fragment belongs in a set of fragments. Some intrusions use an invalid Fragment Offset number. Select the check box, select Equal, Smaller or Greater and then type in a number Time to Live is a counter that decrements every time it passes through a router. When it reaches zero, the datagram is discarded. Usually it's used to set an upper limit on the number of routers a datagram can pass through. Some intrusions can be identified by the number in this field. Select the check box, select Equal, Smaller or Greater and then type in a number. ZyWALL ATP Series User's Guide 605