ZyXEL Communications Unified Security Gateway ZyWALL 300 User Manual page 438

Chapter 29 IDP
Table 137 Anti-X > IDP > Custom Signatures > Add/Edit (continued)
LABEL
IP Options
Same IP
Transport Protocol
Transport
Protocol: TCP
Port
Flow
Flags
Sequence
Number
Ack Number
Window Size
Transport
Protocol: UDP
Port
Transport
Protocol: ICMP
Type
Code
ID
Sequence
Number
Payload Options
438
DESCRIPTION
IP options is a variable-length list of IP options for a datagram that define IP
Security Option, IP Stream Identifier, (security and handling restrictions for the
military), Record Route (have each router record its IP address), Loose Source
Routing (specifies a list of IP addresses that must be traversed by the datagram),
Strict Source Routing (specifies a list of IP addresses that must ONLY be
traversed by the datagram), Timestamp (have each router record its IP address
and time), End of IP List and No IP Options. IP Options can help identify some
intrusions. Select the check box, then select an item from the list box that the
intrusion uses
Select the check box for the signature to check for packets that have the same
source and destination IP addresses.
The following fields vary depending on whether you choose TCP, UDP or ICMP.
Select the check box and then enter the source and destination TCP port
numbers that will trigger this signature.
If selected, the signature only applies to certain directions of the traffic flow and
only to clients or servers. Select Flow and then select the identifying options.
Established: The signature only checks for established TCP connections
Stateless: The signature is triggered regardless of the state of the stream
processor (this is useful for packets that are designed to cause devices to crash)
To Client: The signature only checks for server responses from A to B.
To Server: The signature only checks for client requests from B to A.
From Client:.The signature only checks for client requests from B to A.
From Servers: The signature only checks for server responses from A to B.
No Stream: The signature does not check rebuilt stream packets.
Only Stream: The signature only checks rebuilt stream packets.
Select what TCP flag bits the signature should check.
Use this field to check for a specific TCP sequence number.
Use this field to check for a specific TCP acknowledgement number.
Use this field to check for a specific TCP window size.
Select the check box and then enter the source and destination UDP port
numbers that will trigger this signature.
Use this field to check for a specific ICMP type value.
Use this field to check for a specific ICMP code value.
Use this field to check for a specific ICMP ID value. This is useful for covert
channel programs that use static ICMP fields when they communicate.
Use this field to check for a specific ICMP sequence number. This is useful for
covert channel programs that use static ICMP fields when they communicate.
The longer a payload option is, the more exact the match, the faster the signature
processing. Therefore, if possible, it is recommended to have at least one payload
option in your signature.
ZyWALL USG 300 User's Guide