Chapter 20 IPS
USG FLEX H Series User’s Guide
312
Network Intrusions
Network-based intrusions have the goal of bringing down a network or networks by attacking
computer(s), switch(es), router(s) or modem(s). If a LAN switch is compromised for example, then the
whole LAN is compromised. Host-based intrusions may be used to cause network-based intrusions when
the goal of the host virus is to propagate attacks on the network, or attack computer/server operating
system vulnerabilities with the goal of bringing down the computer/server. Typical “network-based
intrusions” are SQL slammer, Blaster, Nimda MyDoom etc.
Snort Signatures
You may want to refer to open source Snort signatures when creating custom Zyxel Device ones. Most
Snort rules are written in a single line. Snort rules are divided into two logical sections, the rule header
and the rule options as shown in the following example:
alert tcp any any -> 192.168.1.0/24 111 (content:”|00 01 a5|”; msg:”mountd access”;)
The text up to the first parenthesis is the rule header and the section enclosed in parenthesis contains the
rule options. The words before the colons in the rule options section are the option keywords.
The rule header contains the rule's:
•Action
•Protocol
• Source and destination IP addresses and netmasks
• Source and destination ports information.
The rule option section contains alert messages and information on which parts of the packet should be
inspected to determine if the rule action should be taken.
These are some equivalent Snort terms in the Zyxel Device.
Table 156 Zyxel Device - Snort Equivalent Terms
ZYXEL DEVICE TERM SNORT EQUIVALENT TERM
Type Of Service tos
Identification id
Fragmentation fragbits
Fragmentation Offset fragoffset
Time to Live ttl
IP Options ipopts
Same IP sameip
Transport Protocol
Transport Protocol: TCP
Port (In Snort rule header)
Flow flow
Flags flags
Sequence Number seq
Ack Number ack
Window Size window
To Next Page
Loading...
