Chapter 38 IDP
ZyWALL USG Series User’s Guide
732
IP Options IP options is a variable-length list of IP options for a datagram that define IP Security
Option, IP Stream Identifier, (security and handling restrictions for the military), Record
Route (have each router record its IP address), Loose Source Routing (specifies a list of IP
addresses that must be traversed by the datagram), Strict Source Routing (specifies a list
of IP addresses that must ONLY be traversed by the datagram), Timestamp (have each
router record its IP address and time), End of IP List and No IP Options. IP Options can help
identify some intrusions. Select the check box, then select an item from the list box that
the intrusion uses
Same IP Select the check box for the signature to check for packets that have the same source
and destination IP addresses.
Transport Protocol The following fields vary depending on whether you choose TCP, UDP or ICMP.
Transport Protocol: TCP
Port Select the check box and then enter the source and destination TCP port numbers that
will trigger this signature.
Flow The selected keyword sets the criteria as to which traffic is matched. You can match
traffic based on direction or whether the connection is established or not. You can also
specify whether you want to match signatures per packet or in a stream of packets.
Established: Match established TCP connections.
Stateless: Match packets regardless of the state of the stream processor. This is useful for
packets that are designed to cause machines to crash.
To Client: Match packets that flow from server to client.
To Server: Match packets that flow from client to server.
From Client: Match packets that flow from client to server.
From Servers: Match packets that flow from server to client.
No Stream: Match packets that have not been reassembled by the stream engine. It will
not match packets that have been reassembled.
Only Stream: Match packets that have been reassembled.
Flags Select what TCP flag bits the signature should check.
Sequence Number Use this field to check for a specific TCP sequence number.
Ack Number Use this field to check for a specific TCP acknowledgment number.
Window Size Use this field to check for a specific TCP window size.
Transport Protocol: UDP
Port Select the check box and then enter the source and destination UDP port numbers that
will trigger this signature.
Transport Protocol:
ICMP
Type Use this field to check for a specific ICMP type value.
Code Use this field to check for a specific ICMP code value.
ID Use this field to check for a specific ICMP ID value. This is useful for covert channel
programs that use static ICMP fields when they communicate.
Sequence Number Use this field to check for a specific ICMP sequence number. This is useful for covert
channel programs that use static ICMP fields when they communicate.
Payload Options The longer a payload option is, the more exact the match, the faster the signature
processing. Therefore, if possible, it is recommended to have at least one payload option
in your signature.
Table 266 Configuration > UTM Profile > IDP > Custom Signatures > Add/Edit (continued)
LABEL DESCRIPTION
To Next Page
Loading...
