ZyXEL Communications ZyWALL USG 200 Series User Manual page 627

Network Intrusions
Network-based intrusions have the goal of bringing down a network or networks
by attacking computer(s), switch(es), router(s) or modem(s). If a LAN switch is
compromised for example, then the whole LAN is compromised. Host-based
intrusions may be used to cause network-based intrusions when the goal of the
host virus is to propagate attacks on the network, or attack computer/server
operating system vulnerabilities with the goal of bringing down the computer/
server. Typical "network-based intrusions" are SQL slammer, Blaster, Nimda
MyDoom etc.
Snort Signatures
You may want to refer to open source Snort signatures when creating custom
ZyWALL ones. Most Snort rules are written in a single line. Snort rules are divided
into two logical sections, the rule header and the rule options as shown in the
following example:
alert tcp any any -> 192.168.1.0/24 111 (content:"|00 01 a5|";
msg:"mountd access";)
The text up to the first parenthesis is the rule header and the section enclosed in
parenthesis contains the rule options. The words before the colons in the rule
options section are the option keywords.
The rule header contains the rule's:
• Action
• Protocol
• Source and destination IP addresses and netmasks
• Source and destination ports information.
The rule option section contains alert messages and information on which parts of
the packet should be inspected to determine if the rule action should be taken.
These are some equivalent Snort terms in the ZyWALL.
Table 169 ZyWALL - Snort Equivalent Terms
ZYWALL TERM
Type Of Service
Identification
Fragmentation
Fragmentation Offset
Time to Live
IP Options
ZyWALL USG 100/200 Series User's Guide
SNORT EQUIVALENT TERM
tos
id
fragbits
fragoffset
ttl
ipopts
Chapter 34 IDP
627