ZyXEL Communications NXC5200 User Manual page 334

Chapter 21 IDP
Network Intrusions
Network-based intrusions have the goal of bringing down a network or networks
by attacking computer(s), switch(es), router(s) or modem(s). If a LAN switch is
compromised for example, then the whole LAN is compromised. Host-based
intrusions may be used to cause network-based intrusions when the goal of the
host virus is to propagate attacks on the network, or attack computer/server
operating system vulnerabilities with the goal of bringing down the computer/
server. Typical "network-based intrusions" are SQL slammer, Blaster, Nimda
MyDoom etc.
Snort Signatures
You may want to refer to open source Snort signatures when creating custom NXC
ones. Most Snort rules are written in a single line. Snort rules are divided into two
logical sections, the rule header and the rule options as shown in the following
example:
alert tcp any any -> 192.168.1.0/24 111 (content:"|00 01 a5|";
msg:"mountd access";)
The text up to the first parenthesis is the rule header and the section enclosed in
parenthesis contains the rule options. The words before the colons in the rule
options section are the option keywords.
The rule header contains the rule's:
• Action
• Protocol
• Source and destination IP addresses and netmasks
• Source and destination ports information.
The rule option section contains alert messages and information on which parts of
the packet should be inspected to determine if the rule action should be taken.
These are some equivalent Snort terms in the NXC.
Table 122 NXC - Snort Equivalent Terms
NXC TERM
Type Of Service
Identification
Fragmentation
Fragmentation Offset
Time to Live
IP Options
334
SNORT EQUIVALENT TERM
tos
id
fragbits
fragoffset
ttl
ipopts
NXC5200 User's Guide