ZyXEL Communications ZyWall ATP series User Manual page 547

Table 221 Configuration > Security Service > IDP > Custom Signatures > Add/Edit (continued)
LABEL DESCRIPTION
IP Options IP options is a variable-length list of IP options for a datagram that define IP Security
Option, IP Stream Identifier, (security and handling restrictions for the military), Record
Route (have each router record its IP address), Loose Source Routing (specifies a list of IP
addresses that must be traversed by the datagram), Strict Source Routing (specifies a list
of IP addresses that must ONLY be traversed by the datagram), Timestamp (have each
router record its IP address and time), End of IP List and No IP Options. IP Options can help
identify some intrusions. Select the check box, then select an item from the list box that
the intrusion uses
Same IP Select the check box for the signature to check for packets that have the same source
and destination IP addresses.
Transport Protocol The following fields vary depending on whether you choose TCP, UDP or ICMP.
Transport Protocol: TCP
Port Select the check box and then enter the source and destination TCP port numbers that
will trigger this signature.
Flow If selected, the signature only applies to certain directions of the traffic flow and only to
clients or servers. Select Flow and then select the identifying options.
Established: The signature only checks for established TCP connections
Stateless: The signature is triggered regardless of the state of the stream processor (this is
useful for packets that are designed to cause devices to crash)
To Client: The signature only checks for server responses from A to B.
To Server: The signature only checks for client requests from B to A.
From Client: The signature only checks for client requests from B to A.
From Servers: The signature only checks for server responses from A to B.
No Stream: The signature does not check rebuilt stream packets.
Only Stream: The signature only checks rebuilt stream packets.
Flags Select what TCP flag bits the signature should check.
Sequence Number Use this field to check for a specific TCP sequence number.
Ack Number Use this field to check for a specific TCP acknowledgment number.
Window Size Use this field to check for a specific TCP window size.
Transport Protocol: UDP
Port Select the check box and then enter the source and destination UDP port numbers that
will trigger this signature.
Transport Protocol:
ICMP
Type Use this field to check for a specific ICMP type value.
Code Use this field to check for a specific ICMP code value.
ID Use this field to check for a specific ICMP ID value. This is useful for covert channel
programs that use static ICMP fields when they communicate.
Sequence Number Use this field to check for a specific ICMP sequence number. This is useful for covert
channel programs that use static ICMP fields when they communicate.
Payload Options The longer a payload option is, the more exact the match, the faster the signature
processing. Therefore, if possible, it is recommended to have at least one payload option
in your signature.
Chapter 30 IDP
ZyWALL ATP Series User's Guide
547