ZyXEL Communications ZyWALL 110 User Manual page 516

the whole LAN is compromised. Host-based intrusions may be used to cause network-based
intrusions when the goal of the host virus is to propagate attacks on the network, or attack
computer/server operating system vulnerabilities with the goal of bringing down the computer/
server. Typical "network-based intrusions" are SQL slammer, Blaster, Nimda MyDoom etc.
Snort Signatures
You may want to refer to open source Snort signatures when creating custom ZyWALL/USG ones.
Most Snort rules are written in a single line. Snort rules are divided into two logical sections, the
rule header and the rule options as shown in the following example:
alert tcp any any -> 192.168.1.0/24 111 (content:"|00 01 a5|"; msg:"mountd access";)
The text up to the first parenthesis is the rule header and the section enclosed in parenthesis
contains the rule options. The words before the colons in the rule options section are the option
keywords.
The rule header contains the rule's:
• Action
• Protocol
• Source and destination IP addresses and netmasks
• Source and destination ports information.
The rule option section contains alert messages and information on which parts of the packet
should be inspected to determine if the rule action should be taken.
These are some equivalent Snort terms in the ZyWALL/USG.
Table 211 ZyWALL/USG - Snort Equivalent Terms
ZYWALL/USG TERM
Type Of Service
Identification
Fragmentation
Fragmentation Offset
Time to Live
IP Options
Same IP
Transport Protocol
Transport Protocol: TCP
Port
Flow
Flags
Sequence Number
Ack Number
Window Size
Transport Protocol: UDP
Port
Chapter 30 IDP
SNORT EQUIVALENT TERM
tos
id
fragbits
fragoffset
ttl
ipopts
sameip
(In Snort rule header)
flow
flags
seq
ack
window
(In Snort rule header)
(In Snort rule header)
ZyWALL/USG Series User's Guide
516