IDP

See the IDP section for related information on these screens.

Introduction to IDP

An IDP system can detect malicious or suspicious packets and respond instantaneously. It is designed to detect pattern-based attacks.

Host Intrusions

The goal of host-based intrusions is to infiltrate files on an individual computer or server in with the goal of accessing confidential information or destroying information on a computer.

You must install a host IDP directly on the system being protected. It works closely with the operating system, monitoring and intercepting system calls to the kernel or APIs in order to prevent attacks as well as log them.

Disadvantages of host IDPs are that you have to install them on each device (that you want to protect) in your network and due to the necessarily tight integration with the host operating system, future operating system upgrades could cause problems.

Network Intrusions

Network-based intrusions have the goal of bringing down a network or networks by attacking computer(s), switch(es), router(s) or modem(s). If a LAN switch is compromised for example, then the whole LAN is compromised. Host-based intrusions may be used to cause network-based intrusions when the goal of the host virus is to propagate attacks on the network, or attack computer/server operating system vulnerabilities with the goal of bringing down the computer/server. Typical "network-based intrusions" are SQL slammer, Blaster, Nimda MyDoom etc.

IDP on the ZyWALL

IDP on the ZyWALL protects against network-based intrusions. See Policy Types for a list of attacks that the ZyWALL can protect against. You can also create your own custom IDP rules.

Signatures

If a packet matches a signature, the action specified by the signature is taken. You can change the default signature actions in the profile screens.

Traffic Directions and Profiles

A zone is a combination of ZyWALL interfaces and VPN connections for security. See the zone chapter for details on zones and the interfaces chapter for details on interfaces. Traffic direction is defined by the zone the traffic is coming from and the zone the traffic is going to.

An IDP profile is a set of IDP rules with configured activation, log and action settings. The ZyWALL comes with default profiles that you can bind to traffic directions. For example, by default, the default LAN_IDP profile is bound to any traffic going to the LAN zone. You could use this to protect your LAN computers.

You can also create your own IDP profiles from base profiles. See Base Profiles for details on base profiles.

Note: You can only bind one profile to one traffic direction.

Configuring IDP General

Use this screen to turn IDP on or off, bind IDP profiles to traffic directions, and view registration and signature information.

Note: You must register in order to use packet inspection signatures. See the Registration screens.

Anti-X > IDP > General  

label
Description
General Setup
 
Enable Signature Detection
You must register for IDP service in order to use packet inspection signatures. If you don't have a standard license, you can register for a once-off trial one.
Bindings
Use this list to specify which IDP profile the ZyWALL uses for traffic flowing in a specific direction.
Priority
This is this binding's rank in the list of IDP profile to traffic direction bindings. The list is applied in order of priority.
From, To
This is the direction of travel of packets to which an IDP profile is bound.

Note: Depending on your network topology and traffic load, binding every packet direction to an IDP profile may affect the ZyWALL's performance.

From LAN To LAN means packets traveling from a computer on one LAN subnet to a computer on another LAN subnet via the ZyWALL's LAN zone interfaces. The ZyWALL does not check packets traveling from a LAN computer to another LAN computer on the same subnet.
From WAN To WAN means packets that come in from the WAN zone and the ZyWALL routes back out through the WAN zone.
IDP Profile
An IDP profile is a set of IDP rules with configured activation, log and action settings. This field shows which IDP profile is bound to which traffic direction. Click the popup icon to change to a different profile,

 

(Icons)
Click the Add icon in the heading row to add a new first entry.
The Active icon displays whether the entry is enabled or not. Click it to activate or deactivate the entry.
Click the Edit icon to go to the screen where you can edit the entry.
Click the Add icon in an entry to add an entry below the current entry.
Click the Remove icon to delete an existing entry from the ZyWALL. A window displays asking you to confirm that you want to delete the entry. Note that subsequent entries move up by one when you take this action.
In a numbered list, click the Move to N icon to display a field to type an index number for where you want to put that entry and press [ENTER] to move the entry to the number that you typed. For example, if you type 6, the entry you are moving becomes number 6 and the previous entry 6 (if there is one) gets pushed up (or down) one.
The ordering of your entries is important as they are applied in order of their numbering.
Registration
You need to create an account at myZyXEL.com, register your ZyWALL and then subscribe for IDP in order to be able to download new packet inspection signatures from myZyXEL.com. There's an initial free trial period for IDP after which you must pay to subscribe to the service. See the Registration chapter for details.
Registration Status
Licensed, Not Licensed or Expired indicates whether you have subscribed for IDP services or not or your registration has expired.
Registration Type
This field shows Trial, Standard or None depending on whether you subscribed to the IDP trial, bought an iCard for IDP service or neither.
Apply new Registration
This link appears if you have not registered for the service or only have the trial registration. Click this link to go to the screen where you can register for the service.
Signature Information
The following fields display information on the current signature set that the ZyWALL is using.
Current Version
This field displays the IDP signature set version number. This number gets larger as the set is enhanced.
Signature Number
This field displays the number of IDP signatures in this set. This number usually gets larger as the set is enhanced. Older signatures and rules may be removed if they are no longer applicable or have been supplanted by newer ones.
Released Date
This field displays the date and time the set was released.
Update Signatures
Click this link to go to the screen you can use to download signatures from the update server.
Apply
Click Apply to save your changes.
Reset
Click Reset to start configuring this screen again.

Configuring IDP Bindings

Use this screen to bind an IDP profile to a traffic direction.

Anti-X > IDP > General > Add  

label
Description
Enable
Select this check box to turn on this IDP profile to traffic direction binding.
From
Traffic direction is defined by the zone the traffic is coming from and the zone the traffic is going to.
Use the From field to specify the zone from which the traffic is coming.
To
Use the To field to specify the zone to which the traffic is going.
IDP Profile
An IDP profile is a set of IDP rules with configured activation, log and action settings. Select an IDP profile to bind to the entry's traffic direction. Configure the IDP profiles in the IDP profile screens.
OK
Click OK to save your changes.
Cancel
Click Cancel to exit this screen without saving your changes.

Introducing IDP Profiles

An IDP profile is a set of packet inspection signatures.

Packet inspection signatures examine packet content for malicious data. Packet inspection applies to OSI (Open System Interconnection) layer-4 to layer-7 contents. You need to subscribe for IDP service in order to be able to download new signatures.

In general, packet inspection signatures are created for known attacks while anomaly detection looks for abnormal behavior (see ADP for information on anomaly detection).

Base Profiles

The ZyWALL comes with several base profiles. You use base profiles to create new profiles.

The following table describes this screen.

Base Profiles  

Base Profile
Description
all
All signatures are enabled. Signatures with a high or severe severity level (greater than three) generate log alerts and cause packets that trigger them to be dropped. Signatures with a very low, low or medium severity level (less than or equal to three) generate logs (not log alerts) and no action is taken on packets that trigger them.
dmz
This profile is most suitable for networks containing your servers. Signatures for common services such as DNS, FTP, HTTP, ICMP, IMAP, MISC, NETBIOS, POP3, RPC, RSERVICE, SMTP, SNMP, SQL, TELNET, Oracle, MySQL are enabled. Signatures with a high or severe severity level (greater than three) generate log alerts and cause packets that trigger them to be dropped. Signatures with a low or medium severity level (two or three) generate logs (not log alerts) and no action is taken on packets that trigger them. Signatures with a very low severity level (one) are disabled.
lan
This profile is most suitable for common LAN network services. Signatures for common services such as DNS, FTP, HTTP, ICMP, IM, IMAP, MISC, NETBIOS, P2P, POP3, RPC, RSERVICE, SMTP, SNMP, SQL, TELNET, TFTP, MySQL are enabled. Signatures with a high or severe severity level (greater than three) generate logs (not log alerts) and cause packets that trigger them to be dropped. Signatures with a low or medium severity level (two or three) generate logs (not log alerts) and no action is taken on packets that trigger them. Signatures with a very low severity level (one) are disabled.
none
All signatures are disabled. No logs are generated nor actions are taken.
wan
Signatures for all services are enabled. Signatures with a medium, high or severe severity level (greater than two) generate logs (not log alerts) and no action is taken on packets that trigger them. Signatures with a very low or low severity level (less than or equal to two) are disabled.

Profile Summary Screen

Use this screen to:

Anti-X > IDP > Profile 

LABEL
Description
Name
This is the name of the profile you created.
Base Profile
This is the base profile from which the profile was created.
(Icons)
Click the Add icon in the column header to create a new profile. A pop-up screen displays requiring you to choose a base profile from which to create the new profile.
Click an Edit icon to edit an existing profile.
Click a Remove icon to delete an existing profile.

Creating New Profiles

You may want to create a new profile if not all signatures in a base profile are applicable to your network. In this case you should disable non-applicable signatures so as to improve ZyWALL IDP processing efficiency.

You may also find that certain signatures are triggering too many false positives or false negatives. A false positive is when valid traffic is flagged as an attack. A false negative is when invalid traffic is wrongly allowed to pass through the ZyWALL. As each network is different, false positives and false negatives are common on initial IDP deployment.

You could create a new `monitor profile' that creates logs but all actions are disabled. Observe the logs over time and try to eliminate the causes of the false alarms. When you're satisfied that they have been reduced to an acceptable level, you could then create an `inline profile' whereby you configure appropriate actions to be taken when a packet matches a signature.

Procedure To Create a New Profile

To create a new profile:

Note: If Internet Explorer opens a warning screen about a script making Internet Explorer run slowly and the computer maybe becoming unresponsive, just click No to continue.

Profiles: Packet Inspection

Packet inspection signatures examine the contents of a packet for malicious data. It operates at layer-4 to layer-7.

Profile > Group View Screen

Anti-X > IDP > Profile > Group View 

LABEL
Description
Name
This is the name of the profile. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. These are valid, unique profile names:
MyProfile
mYProfile
Mymy12_3-4
These are invalid profile names:
1mYProfile
My Profile
MyProfile?
Whatalongprofilename123456789012
Switch to query view
Click this button to go to a screen where you can search for signatures by criteria such as name, ID, severity, attack type, vulnerable attack platforms, service category, log options or actions.
Service
Click the + sign next to a service group to expand it. A service group is a group of related IDP signatures.
Message
This is the name of the signature.
SID
This is the signature ID (identification) number that uniquely identifies a ZyWALL signature.
Severity
These are the severities as defined in the ZyWALL. The number in brackets is the number you use if using commands.
Severe (5): These denote attacks that try to run arbitrary code or gain system privileges.
High (4): These denote known serious vulnerabilities or attacks that are probably not false alarms.
Medium (3): These denote medium threats, access control attacks or attacks that could be false alarms.
Low (2): These denote mild threats or attacks that could be false alarms.
Very Low (1): These denote possible attacks caused by traffic such as Ping, trace route, ICMP queries etc.
Policy Type
This is the attack type as defined on the ZyWALL. See Policy Types for a description of each type.
Activation
Click the icon to enable or disable a signature or group of signatures.
Log
These are the log options:
original setting: Select this option to return each log option within a service group to its previously saved configuration.
no: Select this option on an individual signature or a complete service group to have the ZyWALL create no log when a packet matches a signature(s).
log: Select this option on an individual signature or a complete service group to have the ZyWALL create a log when a packet matches a signature(s).
log alert: An alert is an e-mailed log for more serious events that may need more immediate attention. Select this option to have the ZyWALL send an alert when a packet matches a signature(s).
Action
Select what action the ZyWALL should take when a packet matches a signature here.
original setting: Select this action to return each signature in a service group to its previously saved configuration.
none: Select this action on an individual signature or a complete service group to have the ZyWALL take no action when a packet matches the signature(s).
drop: Select this action on an individual signature or a complete service group to have the ZyWALL silently drop a packet that matches the signature(s). Neither sender nor receiver are notified.
reject-sender: Select this action on an individual signature or a complete service group to have the ZyWALL send a reset to the sender when a packet matches the signature. If it is a TCP attack packet, the ZyWALL will send a packet with a `RST' flag. If it is an ICMP or UDP attack packet, the ZyWALL will send an ICMP unreachable packet.
reject-receiver: Select this action on an individual signature or a complete service group to have the ZyWALL send a reset to the receiver when a packet matches the signature. If it is a TCP attack packet, the ZyWALL will send a packet with an a `RST' flag. If it is an ICMP or UDP attack packet, the ZyWALL will do nothing.
reject-both: Select this action on an individual signature or a complete service group to have the ZyWALL send a reset to both the sender and receiver when a packet matches the signature. If it is a TCP attack packet, the ZyWALL will send a packet with a `RST' flag to the receiver and sender. If it is an ICMP or UDP attack packet, the ZyWALL will send an ICMP unreachable packet.
OK
A profile consists of three separate screens. If you want to configure just one screen for an IDP profile, click OK to save your settings to the ZyWALL, complete the profile and return to the profile summary page.
Cancel
Click Cancel to return to the profile summary page without saving any changes.
Save
If you want to configure more than one screen for an IDP profile, click Save to save the configuration to the ZyWALL, but remain in the same page. You may then go to another profile screen (tab) in order to complete the profile. Click OK in the final profile screen to complete the profile.

Policy Types

This section describes IDP policy types, also known as attack types, as categorized in the ZyWALL. You may refer to these types when categorizing your own custom rules.

Policy Types 

Policy Type
Description
P2P
Peer-to-peer (P2P) is where computing devices link directly to each other and can directly initiate communication with each other; they do not need an intermediary. A device can be both the client and the server. In the ZyWALL, P2P refers to peer-to-peer applications such as e-Mule, e-Donkey, BitTorrent, iMesh, etc.
IM
IM (Instant Messaging) refers to chat applications. Chat is real-time, text-based communication between two or more users via networks-connected computers. After you enter a chat (or chat room), any room member can type a message that will appear on the monitors of all the other participants.
SPAM
Spam is unsolicited "junk" e-mail sent to large numbers of people to promote products or services.
DoS/DDoS
The goal of Denial of Service (DoS) attacks is not to steal information, but to disable a device or network on the Internet.
A distributed denial-of-service (DDoS) attack is one in which multiple compromised systems attack a single target, thereby causing denial of service for users of the targeted system.
Scan
A scan describes the action of searching a network for an exposed service. An attack may then occur once a vulnerability has been found. Scans occur on several network levels.
A network scan occurs at layer-3. For example, an attacker looks for network devices such as a router or server running in an IP network.
A scan on a protocol is commonly referred to as a layer-4 scan. For example, once an attacker has found a live end system, he looks for open ports.
A scan on a service is commonly referred to a layer-7 scan. For example, once an attacker has found an open port, say port 80 on a server, he determines that it is a HTTP service run by some web server application. He then uses a web vulnerability scanner (for example, Nikto) to look for documented vulnerabilities.
Buffer Overflow
A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. The excess information can overflow into adjacent buffers, corrupting or overwriting the valid data held in them.
Intruders could run codes in the overflow buffer region to obtain control of the system, install a backdoor or use the victim to launch attacks on other devices.
Virus/Worm
A computer virus is a small program designed to corrupt and/or alter the operation of other legitimate programs. A worm is a program that is designed to copy itself from one computer to another on a network. A worm's uncontrolled replication consumes system resources, thus slowing or stopping other tasks.
Backdoor/Trojan
A backdoor (also called a trapdoor) is hidden software or a hardware mechanism that can be triggered to gain access to a program, online service or an entire computer system. A Trojan horse is a harmful program that is hidden inside apparently harmless programs or data.
Although a virus, a worm and a Trojan are different types of attacks, they can be blended into one attack. For example, W32/Blaster and W32/Sasser are blended attacks that feature a combination of a worm and a Trojan.
Access Control
Access control refers to procedures and controls that limit or detect access. Access control attacks try to bypass validation checks in order to access network resources such as servers, directories, and files.
Web Attack
Web attacks refer to attacks on web servers such as IIS (Internet Information Services).

IDP Service Groups

An IDP service group is a set of related packet inspection signatures.

IDP Service Groups 

WEB_PHP
WEB_MISC
WEB_IIS
WEB_FRONTPAGE
WEB_CGI
WEB_ATTACKS
TFTP
TELNET
SQL
SNMP
SMTP
RSERVICES
RPC
POP3
POP2
P2P
ORACLE
NNTP
NETBIOS
MYSQL
MISC_EXPLOIT
MISC_DDOS
MISC_BACKDOOR
MISC
IMAP
IM
ICMP
FTP
FINGER
DNS
   

Logs and actions applied to a service group apply to all signatures within that group. If you select original setting for service group logs and/or actions, all signatures within that group are returned to their last-saved settings.

Profile > Query View Screen

In the query view screen, you can search for signatures by criteria such as name, ID, severity, attack type, vulnerable attack platforms, service category, log options or actions.

Anti-X > IDP > Profile: Query View  

LABEL
Description
Name
This is the name of the profile that you created in the IDP > Profiles > Packet Inspection group view screen.
Switch to group view
Click this button to go to the IDP profile group view screen where IDP signatures are grouped by service and you can configure activation, logs and/or actions.
Query Signatures
Select the criteria on which to perform the search.
Search all custom signatures
Select this check box to search for signatures you created or imported in the Custom Signature screen. You can search by name or ID. If the name and ID fields are left blank, then all custom signatures are displayed.
Name
Type the name or part of the name of the signature(s) you want to find.
Signature ID
Type the ID or part of the ID of the signature(s) you want to find.
Severity
Search for signatures by severity level(s) (see Anti-X > IDP > Profile > Group View). Hold down the [Ctrl] key if you want to make multiple selections.
Attack Type
Search for signatures by attack type(s) (see Policy Types). Attack types are known as policy types in the group view screen. Hold down the [Ctrl] key if you want to make multiple selections.
Platform
Search for signatures created to prevent intrusions targeting specific operating system(s). Hold down the [Ctrl] key if you want to make multiple selections.
Service
Search for signatures by IDP service group(s). See IDP Service Groups for group details. Hold down the [Ctrl] key if you want to make multiple selections.
Action
Search for signatures by the response the ZyWALL takes when a packet matches a signature. See Anti-X > IDP > Profile > Group View for action details. Hold down the [Ctrl] key if you want to make multiple selections.
Activation
Search for enabled and/or disabled signatures here.
Log
Search for signatures by log option here. See Anti-X > IDP > Profile > Group View for option details.
Search
Click this button to begin the search. The results display at the bottom of the screen. Results may be spread over several pages depending on how broad the search criteria selected were. The tighter the criteria selected, the fewer the signatures returned.
Query Result
The results are displayed in a table showing the SID, Name, Severity, Attack Type, Platform, Service, Activation, Log, and Action criteria as selected in the search. Click the SID column header to sort search results by signature ID.
Total IDP:
This displays the total number of signatures found in your search.
IDP per page
Select the number of signatures you want to appear per page here.
Page x of x
This is the number of the page of entries currently displayed and the total number of pages of entries. Type a page number to go to or use the arrows to navigate the pages of entries.
OK
Click OK to save your settings to the ZyWALL, complete the profile and return to the profile summary page.
Cancel
Click Cancel to return to the profile summary page without saving any changes.
Save
Click Save to save the configuration to the ZyWALL, but remain in the same page. You may then go to the another profile screen (tab) in order to complete the profile. Click OK in the final profile screen to complete the profile.

Introducing IDP Custom Signatures

Create custom signatures for new attacks or attacks peculiar to your network. Custom signatures can also be saved to/from your computer so as to share with others.

You need some knowledge of packet headers and attack types to create your own custom signatures.

IP Packet Header

These are the fields in an Internet Protocol (IP) version 4 packet header.

IP v4 Packet Headers  

Header
Description
Version
The value 4 indicates IP version 4.
IHL
IP Header Length is the number of 32 bit words forming the total length of the header (usually five).
Type of Service
The Type of Service, (also known as Differentiated Services Code Point (DSCP)) is usually set to 0, but may indicate particular quality of service needs from the network.
Total Length
This is the size of the datagram in bytes. It is the combined length of the header and the data.
Identification
This is a 16-bit number, which together with the source address, uniquely identifies this packet. It is used during reassembly of fragmented datagrams.
Flags
Flags are used to control whether routers are allowed to fragment a packet and to indicate the parts of a packet to the receiver.
Fragment Offset
This is a byte count from the start of the original sent packet.
Time To Live
This is a counter that decrements every time it passes through a router. When it reaches zero, the datagram is discarded. It is used to prevent accidental routing loops.
Protocol
The protocol indicates the type of transport packet being carried, for example, 1 = ICMP; 2= IGMP; 6 = TCP; 17= UDP.
Header Checksum
This is used to detect processing errors introduced into the packet inside a router or bridge where the packet is not protected by a link layer cyclic redundancy check. Packets with an invalid checksum are discarded by all nodes in an IP network.
Source IP Address
This is the IP address of the original sender of the packet.
Destination IP Address
This is the IP address of the final destination of the packet.
Options
IP options is a variable-length list of IP options for a datagram that define IP Security Option, IP Stream Identifier, (security and handling restrictions for the military), Record Route (have each router record its IP address), Loose Source Routing (specifies a list of IP addresses that must be traversed by the datagram), Strict Source Routing (specifies a list of IP addresses that must ONLY be traversed by the datagram), Timestamp (have each router record its IP address and time), End of IP List and No IP Options.
Padding
Padding is used as a filler to ensure that the IP packet is a multiple of 32 bits.

Configuring Custom Signatures

Select Anti-X > IDP > Custom Signatures. The first screen shows a summary of all custom signatures created. Click the SID or Name heading to sort. Click the Add icon to create a new signature or click the Edit icon to edit an existing signature. You can delete signatures here or save them to your computer.

Note: The ZyWALL checks all signatures and continues searching even after a match is found. If two or more rules have conflicting actions for the same packet, then the ZYWALL applies the more restrictive action (reject-both, reject-receiver or reject-sender, drop, none in this order). If a packet matches a rule for reject-receiver and it also matches a rule for reject-sender, then the ZyWALL will reject-both.

Anti-X > IDP > Custom Signatures 

LABEL
Description
Creating
Use this part of the screen to create, edit, delete or export (save to your computer) custom signatures.
SID
SID is the signature ID that uniquely identifies a signature. Click the SID header to sort signatures in ascending or descending order. It is automatically created when you click the Add icon to create a new signature. You can edit the ID, but it cannot already exist and it must be in the 9000000 to 9999999 range.
Name
This is the name of your custom signature. Duplicate names can exist, but it is advisable to use unique signature names that give some hint as to intent of the signature and the type of attack it is supposed to prevent.
Add/Edit
Click the Add icon to create a new signature or click the Edit icon to edit an existing signature.
Delete
Use this column to delete signatures. Select (or clear) the check box in the header column to select (or clear) all check boxes in that column. You can also select (or clear) individual signatures within the column. When you are certain that you have only selected signatures that you want to remove, click the Delete icon. Click OK in the confirm delete signature dialog box to delete the selected signature(s).
Export
Use this column to save signatures to your computer. Select (or clear) the check box in the header column to select (or clear) all check boxes in that column. You can also select (or clear) individual signatures within the column. When you are certain that you have only selected signatures that you want to save, click Export. Click Save in the file download dialog box and then select a location and name for the file.
Custom signatures must end with the `rules' file name extension, for example, MySig.rules.
Importing
Use this part of the screen to import custom signatures (previously saved to your computer) to the ZyWALL.

Note: The name of the complete custom signature file on the ZyWALL is `custom.rules'. If you import a file named `custom.rules', then all custom signatures on the ZyWALL are overwritten with the new file. If this is not your intention, make sure that the files you import are not named `custom.rules'.

File Path
Type the file path and name of the custom signature file you want to import in the text box (or click Browse to find it on your computer) and then click Import to transfer the file to the ZyWALL.
New signatures then display in the ZyWALL IDP > Custom Signatures screen.

Creating or Editing a Custom Signature

A packet must match all items you configure in this screen before it matches the signature. The more specific your signature (including packet contents), then the fewer false positives the signature will trigger.

Try to write signatures that target a vulnerability, for example a certain type of traffic on certain operating systems, instead of a specific exploit.

Anti-X > IDP > Custom Signatures > Add/Edit 

LABEL
Description
Name
Type the name of your custom signature. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Duplicate names can exist but it is advisable to use unique signature names that give some hint as to intent of the signature and the type of attack it is supposed to prevent. Refer to (but do not copy) the packet inspection signature names for hints on creating a naming convention.
Signature ID
A signature ID is automatically created when you click the Add icon to create a new signature. You can edit the ID to create a new one (in the 9000000 to 9999999 range), but you cannot use one that already exists. You may want to do that if you want to order custom signatures by SID.
Information
Use the following fields to set general information about the signature as denoted below.
Severity
The severity level denotes how serious the intrusion is. Categorize the seriousness of the intrusion here. See Anti-X > IDP > Profile > Group View as a reference.
Platform
Some intrusions target specific operating systems only. Select the operating systems that the intrusion targets, that is, the operating systems you want to protect from this intrusion. SGI refers to Silicon Graphics Incorporated, who manufactures multi-user Unix workstations that run the IRIX operating system (SGI's version of UNIX). A router is an example of a network device.
Service
Select the IDP service group that the intrusion exploits or targets. See IDP Service Groups for a list of IDP service groups. The custom signature then appears in that group in the IDP > Profile > Packet Inspection screen
Policy Type
Categorize the type of intrusion here. See Policy Types as a reference.
Frequency
Recurring packets of the same type may indicate an attack. Use the following field to indicate how many packets per how many seconds constitute an intrusion
Threshold
Select Threshold and then type how many packets (that meet the criteria in this signature) per how many seconds constitute an intrusion.
Header Options
 
Network Protocol
Configure signatures for IP version 4.
Type Of Service
Type of service in an IP header is used to specify levels of speed and/or reliability. Some intrusions use an invalid Type Of Service number. Select the check box, then select Equal or Not-Equal and then type in a number.
Identification
The identification field in a datagram uniquely identifies the datagram. If a datagram is fragmented, it contains a value that identifies the datagram to which the fragment belongs. Some intrusions use an invalid Identification number. Select the check box and then type in the invalid number that the intrusion uses.
Fragmentation
A fragmentation flag identifies whether the IP datagram should be fragmented, not fragmented or is a reserved bit. Some intrusions can be identified by this flag. Select the check box and then select the flag that the intrusion uses.
Fragmentation Offset
When an IP datagram is fragmented, it is reassembled at the final destination. The fragmentation offset identifies where the fragment belongs in a set of fragments. Some intrusions use an invalid Fragmentation Offset number. Select the check box, select Equal, Smaller or Greater and then type in a number
Time to Live
Time to Live is a counter that decrements every time it passes through a router. When it reaches zero, the datagram is discarded. Usually it's used to set an upper limit on the number of routers a datagram can pass through. Some intrusions can be identified by the number in this field. Select the check box, select Equal, Smaller or Greater and then type in a number.
IP Options
IP options is a variable-length list of IP options for a datagram that define IP Security Option, IP Stream Identifier, (security and handling restrictions for the military), Record Route (have each router record its IP address), Loose Source Routing (specifies a list of IP addresses that must be traversed by the datagram), Strict Source Routing (specifies a list of IP addresses that must ONLY be traversed by the datagram), Timestamp (have each router record its IP address and time), End of IP List and No IP Options. IP Options can help identify some intrusions. Select the check box, then select an item from the list box that the intrusion uses
Same IP
Select the check box for the signature to check for packets that have the same source and destination IP addresses.
Transport Protocol
The following fields vary depending on whether you choose TCP, UDP or ICMP.
Transport Protocol: TCP
 
Port
Select the check box and then enter the source and destination TCP port numbers that will trigger this signature.
Flow
If selected, the signature only applies to certain directions of the traffic flow and only to clients or servers. Select Flow and then select the identifying options.
Established: The signature only checks for established TCP connections
Stateless: The signature is triggered regardless of the state of the stream processor (this is useful for packets that are designed to cause devices to crash)
To Client: The signature only checks for server responses from A to B.
To Server: The signature only checks for client requests from B to A.
From Client:.The signature only checks for client requests from B to A.
From Servers: The signature only checks for server responses from A to B.
No Stream: The signature does not check rebuilt stream packets.
Only Stream: The signature only checks rebuilt stream packets.
Flags
Select what TCP flag bits the signature should check.
Sequence Number
Use this field to check for a specific TCP sequence number.
Ack Number
Use this field to check for a specific TCP acknowledgement number.
Window Size
Use this field to check for a specific TCP window size.
Transport Protocol: UDP
 
Port
Select the check box and then enter the source and destination UDP port numbers that will trigger this signature.
Transport Protocol: ICMP
 
Type
Use this field to check for a specific ICMP type value.
Code
Use this field to check for a specific ICMP code value.
ID
Use this field to check for a specific ICMP ID value. This is useful for covert channel programs that use static ICMP fields when they communicate.
Sequence Number
Use this field to check for a specific ICMP sequence number. This is useful for covert channel programs that use static ICMP fields when they communicate.
Payload Options
The longer a payload option is, the more exact the match, the faster the signature processing. Therefore, if possible, it is recommended to have at least one payload option in your signature.
Payload Size
This field may be used to check for abnormally sized packets or for detecting buffer overflows.
Select the check box, then select Equal, Smaller or Greater and then type the payload size.
Stream rebuilt packets are not checked regardless of the size of the payload.
Offset
This field specifies where to start searching for a pattern within a packet. For example, an offset of 5 would start looking for the specified pattern after the first five bytes of the payload.
Content
Type the content that the signature should search for in the packet payload. Hexadecimal code entered between pipes is converted to ASCII. For example, you could represent the ampersand as either & or |26| (26 is the hexadecimal code for the ampersand).
Case-insensitive
Select this check box if content casing does NOT matter.
Decode as URI
A Uniform Resource Identifier (URI) is a string of characters for identifying an abstract or physical resource (RFC 2396). A resource can be anything that has identity, for example, an electronic document, an image, a service ("today's weather report for Taiwan"), a collection of other resources. An identifier is an object that can act as a reference to something that has identity. Example URIs are:
ftp://ftp.is.co.za/rfc/rfc1808.txt; ftp scheme for File Transfer Protocol services
http://www.math.uio.no/faq/compression-faq/part1.html; http scheme for Hypertext Transfer Protocol services
mailto:mduerst@ifi.unizh.ch; mailto scheme for electronic mail addresses
telnet://melvyl.ucop.edu/; telnet scheme for interactive services via the TELNET Protocol
Select this check box for the signature to search for normalized URI fields. This means that if you are writing signatures that includes normalized content, such as %2 for directory traversals, these signatures will not be triggered because the content is normalized out of the URI buffer.
For example, the URI:
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+ver
will get normalized into:
/winnt/system32/cmd.exe?/c+ver
OK
Click this button to save your changes to the ZyWALL and return to the summary screen.
Cancel
Click this button to return to the summary screen without saving any changes.

Applying Custom Signatures

After you create your custom signature, it becomes available in the IDP service group category in the IDP > Profile > Packet Inspection screen. Custom signatures have an SID from 9000000 to 9999999.

You can activate the signature, configure what action to take when a packet matches it and if it should generate a log or alert in a profile. Then bind the profile to a zone.

Verifying Custom Signatures

You should configure the signature to create a log when an `attack packet' matches the signature. (You may also want to configure an alert if the attack is more serious and needs more immediate attention.) After you apply the signature to a zone, you can see if it works by checking the logs (Maintenance > Logs > View Log).

All IDP signatures come under the IDP category. The Priority column shows warn for signatures that are configured to generate a log only. It shows critical for signatures that are configured to generate a log and alert. count is the number of attacks that occurred at that time. The Note column displays ACCESS FORWARD when no action is configured for the signature. It displays ACCESS DENIED if you configure the signature action to drop the packet. The destination port is the service port (NetBIOS in this case) that the attack tries to exploit.