Custom Signature Example - ZyXEL Communications ZyWall ATP series User Manual

Table 221 Configuration > Security Service > IDP > Custom Signatures > Add/Edit (continued)
LABEL
Payload Size
Add
Edit
Remove
#
Offset
Content
Case-insensitive
Decode as URI
OK
Cancel

30.3.2 Custom Signature Example

Before creating a custom signature, you must first clearly understand the vulnerability.
Chapter 30 IDP
DESCRIPTION
This field may be used to check for abnormally sized packets or for detecting buffer
.
overflows
Select the check box, then select Equal, Smaller or Greater and then type the payload
size.
Stream rebuilt packets are not checked regardless of the size of the payload.
Click this to create a new entry.
Select an entry and click this to be able to modify it.
Select an entry and click this to delete it.
This is the entry's index number in the list.
This field specifies where to start searching for a pattern within a packet. For example, an
offset of 5 would start looking for the specified pattern after the first five bytes of the
payload.
Type the content that the signature should search for in the packet payload.
Hexadecimal code entered between pipes is converted to ASCII. For example, you
could represent the ampersand as either & or |26| (26 is the hexadecimal code for the
ampersand).
Select Yes if content casing does NOT matter.
A Uniform Resource Identifier (URI) is a string of characters for identifying an abstract or
physical resource (RFC 2396). A resource can be anything that has identity, for example,
an electronic document, an image, a service ("today's weather report for Taiwan"), a
collection of other resources. An identifier is an object that can act as a reference to
something that has identity. Example URIs are:
ftp://ftp.is.co.za/rfc/rfc1808.txt; ftp scheme for File Transfer Protocol services
http://www.math.uio.no/faq/compression-faq/part1.html; http scheme for Hypertext
Transfer Protocol services
mailto:mduerst@ifi.unizh.ch; mailto scheme for electronic mail addresses
telnet://melvyl.ucop.edu/; telnet scheme for interactive services via the TELNET Protocol
Select Yes for the signature to search for normalized URI fields. This means that if you are
writing signatures that includes normalized content, such as %2 for directory traversals,
these signatures will not be triggered because the content is normalized out of the URI
buffer.
For example, the URI:
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+ver
will get normalized into:
/winnt/system32/cmd.exe?/c+ver
Click this button to save your changes to the Zyxel Device and return to the summary
screen.
Click this button to return to the summary screen without saving any changes.
ZyWALL ATP Series User's Guide
548