ZyXEL Communications USG40 User Manual page 660

The following table describes the fields in this screen.
Table 254 Configuration > UTM Profile > IDP > Custom Signatures > Add/Edit
LABEL
Name
Signature ID
Information
Severity
Platform
Service
Policy Type
Frequency
Threshold
Header Options
Network Protocol
Type Of Service
Identification
Fragmentation
Fragment Offset
Time to Live
Chapter 37 IDP
DESCRIPTION
Type the name of your custom signature. You may use 1-31 alphanumeric
characters, underscores(
_
number. This value is case-sensitive.
Duplicate names can exist but it is advisable to use unique signature names that give
some hint as to intent of the signature and the type of attack it is supposed to
prevent. Refer to (but do not copy) the packet inspection signature names for hints
on creating a naming convention.
A signature ID is automatically created when you click the Add icon to create a new
signature. You can edit the ID to create a new one (in the 9000000 to 9999999
range), but you cannot use one that already exists. You may want to do that if you
want to order custom signatures by SID.
Use the following fields to set general information about the signature as denoted
below.
The severity level denotes how serious the intrusion is. Categorize the seriousness of
the intrusion here. See Table 248 on page 647
Some intrusions target specific operating systems only. Select the operating systems
that the intrusion targets, that is, the operating systems you want to protect from
this intrusion. SGI refers to Silicon Graphics Incorporated, who manufactures multi-
user Unix workstations that run the IRIX operating system (SGI's version of UNIX). A
router is an example of a network device.
Select the IDP service group that the intrusion exploits or targets. See
page 652 for a list of IDP service groups. The custom signature then appears in that
group in the IDP > Profile > Group View screen.
Categorize the attack type here. See
Recurring packets of the same type may indicate an attack. Use the following field to
indicate how many packets per how many seconds constitute an intrusion
Select Threshold and then type how many packets (that meet the criteria in this
signature) per how many seconds constitute an intrusion.
Configure signatures for IP version 4.
Type of service in an IP header is used to specify levels of speed and/or reliability.
Some intrusions use an invalid Type Of Service number. Select the check box, then
select Equal or Not-Equal and then type in a number.
The identification field in a datagram uniquely identifies the datagram. If a datagram
is fragmented, it contains a value that identifies the datagram to which the fragment
belongs. Some intrusions use an invalid Identification number. Select the check
box and then type in the invalid number that the intrusion uses.
A fragmentation flag identifies whether the IP datagram should be fragmented, not
fragmented or is a reserved bit. Some intrusions can be identified by this flag. Select
the check box and then select the flag that the intrusion uses.
When an IP datagram is fragmented, it is reassembled at the final destination. The
fragmentation offset identifies where the fragment belongs in a set of fragments.
Some intrusions use an invalid Fragment Offset number. Select the check box,
select Equal, Smaller or Greater and then type in a number
Time to Live is a counter that decrements every time it passes through a router.
When it reaches zero, the datagram is discarded. Usually it's used to set an upper
limit on the number of routers a datagram can pass through. Some intrusions can be
identified by the number in this field. Select the check box, select Equal, Smaller or
Greater and then type in a number.
ZyWALL/USG Series User's Guide
660
), or dashes (-), but the first character cannot be a
as a reference.
Table 249 on page 651
Table 250 on
as a reference.