Chapter 20 IPS
USG FLEX H Series User’s Guide
306
Rate Based Signature IPS signatures identify traffic packets with suspicious malicious patterns. The Zyxel Device
can then respond instantaneously according to the action you define.
If you do not want the Zyxel Device to respond instantaneously for each suspicious
packet detected, use rate based signatures to only respond after a number of
occurrences (Count) within a certain time period (Period). See
Section 20.1.2 on page
302 for more information on rate based signatures.
Edit Select an entry and click Edit to modify the entry’s settings.
Active To turn on an entry, select it and click Activate.
Inactive To turn off an entry, select it and click Inactivate.
Log To edit an item’s log option, select it and use the Log icon. Select whether to have the
Zyxel Device generate a log (log), log and alert (log alert) or neither (no) when a packet
matches a signature.
Action To edit what action the Zyxel Device takes when a packet matches a signature, select
the entry and use the Action icon.
none: Select this action to have the Zyxel Device take no action when a packet
matches a signature.
drop: Select this action to have the Zyxel Device silently drop a packet that matches a
signature. Neither sender nor receiver are notified.
reject: Select this action to have the Zyxel Device send a reset to both the sender and
receiver when a packet matches the signature. If it is a TCP attack packet, the Zyxel
Device will send a packet with a ‘RST’ flag to the receiver and sender. If it is an ICMP or
UDP attack packet, the Zyxel Device will send an ICMP unreachable packet.
# This is the entry’s index number in the list.
Status The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is
inactive.
SID SID is the signature ID that uniquely identifies a signature. Click the SID header to sort
signatures in ascending or descending order.
Name This is the name of your rate-based signature. The name is the type of attack the Zyxel
Device can identify.
Severity This field displays signatures by severity level(s). Hold down the [Ctrl] key if you want to
make multiple selections.
These are the severities as defined in the Zyxel Device. The number in brackets is the
number you use if using commands.
Severe (5): These denote attacks that try to run arbitrary code or gain system privileges.
High (4): These denote known serious vulnerabilities or attacks that are probably not
false alarms.
Medium (3): These denote medium threats, access control attacks or attacks that could
be false alarms.
Low (2): These denote mild threats or attacks that could be false alarms.
Very-Low (1): These denote possible attacks caused by traffic such as Ping, trace route,
ICMP queries etc.
Classification This field displays signatures by attack types (see Table 153 on page 307). Attack types
are known as policy types in the group view screen.
Platform This field displays signatures created to prevent intrusions targeting specific operating
system(s). Hold down the [Ctrl] key if you want to make multiple selections.
Service This field displays signatures by IPS service group(s). See Table 153 on page 307 for group
details.Hold down the [Ctrl] key if you want to make multiple selections.
Table 152 Security Service > IPS (continued)
LABEL DESCRIPTION
To Next Page
Loading...
