From the details about DNS query you see that the protocol is UDP and the port is 53. The type of DNS
packet is standard query and the Flag is 0x0100 with an offset of 2. Therefore enter |010| as the first
pattern.
The final custom signature should look like as shown in the following figure.
Figure 510 Example Custom Signature
38.3.3 Applying Custom Signatures
After you create your custom signature, it becomes available in an IDP profile (Configuration > UTM
Profile > IDP > Profile > Edit screen). Custom signatures have an SID from 9000000 to 9999999.
Search for, then activate the signature, configure what action to take when a packet matches it and if
it should generate a log or alert in a profile. Then bind the profile to a zone.
38.3.4 Verifying Custom Signatures
Configure the signature to create a log when traffic matches the signature. (You may also want to
configure an alert if it is for a serious attack and needs immediate attention.) After you apply the
signature to a zone, you can see if it works by checking the logs (Monitor > Log).
Chapter 38 IDP
ZyWALL USG Series User's Guide
735