ZyXEL Communications ZyWALL USG 200 Series User Manual page 621
Unified security gateway
Hide thumbs
Also See for ZyWALL USG 200 Series:
- User manual (902 pages) ,
- Manual (1157 pages) ,
- Reference manual (394 pages)
Table of Contents
Advertisement
Table 168 Configuration > Anti-X > IDP > Custom Signatures > Add/Edit (continued)
LABEL
Payload Size
Add
Edit
Remove
#
Offset
Content
Case-
insensitive
Decode as URI
ZyWALL USG 100/200 Series User's Guide
DESCRIPTION
This field may be used to check for abnormally sized packets or for
detecting buffer overflows
Select the check box, then select Equal, Smaller or Greater and
then type the payload size.
Stream rebuilt packets are not checked regardless of the size of the
payload.
Click this to create a new entry.
Select an entry and click this to be able to modify it.
Select an entry and click this to delete it.
This is the entry's index number in the list.
This field specifies where to start searching for a pattern within a
packet. For example, an offset of 5 would start looking for the
specified pattern after the first five bytes of the payload.
Type the content that the signature should search for in the packet
payload. Hexadecimal code entered between pipes is converted to
ASCII. For example, you could represent the ampersand as either &
or |26| (26 is the hexadecimal code for the ampersand).
Select Yes if content casing does NOT matter.
A Uniform Resource Identifier (URI) is a string of characters for
identifying an abstract or physical resource (RFC 2396). A resource
can be anything that has identity, for example, an electronic
document, an image, a service ("today's weather report for Taiwan"),
a collection of other resources. An identifier is an object that can act
as a reference to something that has identity. Example URIs are:
ftp://ftp.is.co.za/rfc/rfc1808.txt; ftp scheme for File Transfer Protocol
services
http://www.math.uio.no/faq/compression-faq/part1.html; http
scheme for Hypertext Transfer Protocol services
mailto:mduerst@ifi.unizh.ch; mailto scheme for electronic mail
addresses
telnet://melvyl.ucop.edu/; telnet scheme for interactive services via
the TELNET Protocol
Select Yes for the signature to search for normalized URI fields. This
means that if you are writing signatures that includes normalized
content, such as %2 for directory traversals, these signatures will not
be triggered because the content is normalized out of the URI buffer.
For example, the URI:
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+ver
will get normalized into:
/winnt/system32/cmd.exe?/c+ver
.
Chapter 34 IDP
621
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
