Profile Management

 

Click Add to create a new profile. Select from the options in the box.

Select an entry and click this to be able to modify it.

Select an entry and click this to delete it.

Select an entry and click References to open a screen that shows which settings use the entry

Use Clone to create a new entry by modifying an existing one.

#

This is the entry’s index number in the list.

Name

This displays the name of the IDP Profile.

Base Profile

This displays the base profile used to create the IDP profile.

Description

This displays the description of the IDP Profile.

Reference

This displays the number of times an object reference is used in a profile.

Service

You need to create an account at myZyxel, register your Zyxel Device and then subscribe for IDP in order to be able to download new packet inspection signatures from myZyxel. There’s an initial free trial period for IDP after which you must pay to subscribe to the service. See the Registration chapter for details.

This field displays whether a service license is enabled at myZyxel (Activated) or not (Not Activated) or expired (Expired). It displays the remaining Grace Period if your license has Expired. It displays Not Licensed if there isn’t a license to be activated for this service.

If you need a license or a trial license has expired, click Buy to buy a new one. If a Standard license has expired, click Renew to extend the license.

Then, click Activate to connect with the myZyxel server to activate the new license.

This field shows Trial, Standard or None depending on whether you subscribed to the IDP trial, bought an iCard for IDP service or neither.

Signature Information

The following fields display information on the current signature set that the Zyxel Device is using.

This field displays the IDP signature set version number. This number gets larger as the set is enhanced.

This field displays the number of IDP signatures in this set. This number usually gets larger as the set is enhanced. Older signatures and rules may be removed if they are no longer applicable or have been supplanted by newer ones.

This field displays the date and time the set was released.

Click this link to go to the screen you can use to download signatures from the update server.

none

All signatures are disabled. No logs are generated nor actions are taken.

all

All signatures are enabled. Signatures with a high or severe severity level (greater than three) generate log alerts and cause packets that trigger them to be dropped. Signatures with a very low, low or medium severity level (less than or equal to three) generate logs (not log alerts) and no action is taken on packets that trigger them.

wan

Signatures for all services are enabled. Signatures with a medium, high or severe severity level (greater than two) generate logs (not log alerts) and no action is taken on packets that trigger them. Signatures with a very low or low severity level (less than or equal to two) are disabled.

lan

This profile is most suitable for common LAN network services. Signatures for common services such as DNS, FTP, HTTP, ICMP, IM, IMAP, MISC, NETBIOS, P2P, POP3, RPC, RSERVICE, SMTP, SNMP, SQL, TELNET, TFTP, MySQL are enabled. Signatures with a high or severe severity level (greater than three) generate logs (not log alerts) and cause packets that trigger them to be dropped. Signatures with a low or medium severity level (two or three) generate logs (not log alerts) and no action is taken on packets that trigger them. Signatures with a very low severity level (one) are disabled.

dmz

This profile is most suitable for networks containing your servers. Signatures for common services such as DNS, FTP, HTTP, ICMP, IMAP, MISC, NETBIOS, POP3, RPC, RSERVICE, SMTP, SNMP, SQL, TELNET, Oracle, MySQL are enabled. Signatures with a high or severe severity level (greater than three) generate log alerts and cause packets that trigger them to be dropped. Signatures with a low or medium severity level (two or three) generate logs (not log alerts) and no action is taken on packets that trigger them. Signatures with a very low severity level (one) are disabled.

OK

Click OK to save your changes.

Cancel

Click Cancel to exit this screen without saving your changes.

Name

This is the name of the profile. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. These are valid, unique profile names:

These are invalid profile names:

Description

Enter additional information about this IDP rule. You can enter up to 60 characters ("0-9", "a-z", "A-Z", "-" and "_").

Switch to query view

Click this button to go to a screen where you can search for signatures by criteria such as name, ID, severity, attack type, vulnerable attack platforms, service category, log options or actions.

Severity Level

Select a severity level and these use the icons to enable/disable and configure logs and actions for all signatures of that level.

 

To turn on an entry, select it and click Activate.

To turn off an entry, select it and click Inactivate.

To edit an item’s log option, select it and use the Log icon. These are the log options:

no: Select this option on an individual signature or a complete service group to have the Zyxel Device create no log when a packet matches a signature(s).

log: Select this option on an individual signature or a complete service group to have the Zyxel Device create a log when a packet matches a signature(s).

log alert: An alert is an e-mailed log for more serious events that may need more immediate attention. They also appear in red in the Monitor > Log screen. Select this option to have the Zyxel Device send an alert when a packet matches a signature(s).

To edit what action the Zyxel Device takes when a packet matches a signature, select the signature and use the Action icon.

none: Select this action on an individual signature or a complete service group to have the Zyxel Device take no action when a packet matches the signature(s).

drop: Select this action on an individual signature or a complete service group to have the Zyxel Device silently drop a packet that matches the signature(s). Neither sender nor receiver are notified.

reject-sender: Select this action on an individual signature or a complete service group to have the Zyxel Device send a reset to the sender when a packet matches the signature. If it is a TCP attack packet, the Zyxel Device will send a packet with a ‘RST’ flag. If it is an ICMP or UDP attack packet, the Zyxel Device will send an ICMP unreachable packet.

reject-receiver: Select this action on an individual signature or a complete service group to have the Zyxel Device send a reset to the receiver when a packet matches the signature. If it is a TCP attack packet, the Zyxel Device will send a packet with an a ‘RST’ flag. If it is an ICMP or UDP attack packet, the Zyxel Device will do nothing.

reject-both: Select this action on an individual signature or a complete service group to have the Zyxel Device send a reset to both the sender and receiver when a packet matches the signature. If it is a TCP attack packet, the Zyxel Device will send a packet with a ‘RST’ flag to the receiver and sender. If it is an ICMP or UDP attack packet, the Zyxel Device will send an ICMP unreachable packet.

#

This is the entry’s index number in the list.

Status

The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive.

Message

This displays the message of the violation of IDP Profile rule.

SID

This displays the Signature ID number. The SID is a numerical field in the 9000000 to 9999999 range.

Severity

These are the severities as defined in the Zyxel Device. The number in brackets is the number you use if using commands.

Severe (5): These denote attacks that try to run arbitrary code or gain system privileges.

High (4): These denote known serious vulnerabilities or attacks that are probably not false alarms.

Medium (3): These denote medium threats, access control attacks or attacks that could be false alarms.

Low (2): These denote mild threats or attacks that could be false alarms.

Very Low (1): These denote possible attacks caused by traffic such as Ping, trace route, ICMP queries etc.

Policy Type

This displays the application of the IDP profile.

Log

These are the log options. To edit this, select an item and use the Log icon.

Action

This is the action the Zyxel Device should take when a packet matches a signature here. To edit this, select an item and use the Action icon.

Excepted Signatures

Use the icons to enable/disable and configure logs and actions for individual signatures that are different to the general settings configured for the severity level to which the signatures belong. Signatures configured in Query View will appear in Group View.

Click this to configure settings to a signature that are different to the severity level to which it belongs.

Select an existing signature exception and then click this to delete the exception.

To turn on an entry, select it and click Activate.

To turn off an entry, select it and click Inactivate.

To edit an item’s log option, select it and use the Log icon. These are the log options:

no: Select this option on an individual signature or a complete service group to have the Zyxel Device create no log when a packet matches a signature(s).

log: Select this option on an individual signature or a complete service group to have the Zyxel Device create a log when a packet matches a signature(s).

log alert: An alert is an e-mailed log for more serious events that may need more immediate attention. Select this option to have the Zyxel Device send an alert when a packet matches a signature(s).

To edit what action the Zyxel Device takes when a packet matches a signature, select the signature and use the Action icon.

none: Select this action on an individual signature or a complete service group to have the Zyxel Device take no action when a packet matches the signature(s).

drop: Select this action on an individual signature or a complete service group to have the Zyxel Device silently drop a packet that matches the signature(s). Neither sender nor receiver are notified.

reject-sender: Select this action on an individual signature or a complete service group to have the Zyxel Device send a reset to the sender when a packet matches the signature. If it is a TCP attack packet, the Zyxel Device will send a packet with a ‘RST’ flag. If it is an ICMP or UDP attack packet, the Zyxel Device will send an ICMP unreachable packet.

reject-receiver: Select this action on an individual signature or a complete service group to have the Zyxel Device send a reset to the receiver when a packet matches the signature. If it is a TCP attack packet, the Zyxel Device will send a packet with an a ‘RST’ flag. If it is an ICMP or UDP attack packet, the Zyxel Device will do nothing.

reject-both: Select this action on an individual signature or a complete service group to have the Zyxel Device send a reset to both the sender and receiver when a packet matches the signature. If it is a TCP attack packet, the Zyxel Device will send a packet with a ‘RST’ flag to the receiver and sender. If it is an ICMP or UDP attack packet, the Zyxel Device will send an ICMP unreachable packet.

This is the entry’s index number in the list.

The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive.

Type the exact signature ID (identification) number that uniquely identifies a Zyxel Device IDP signature.

These are the log options. To edit this, select an item and use the Log icon.

This is the action the Zyxel Device should take when a packet matches a signature here. To edit this, select an item and use the Action icon.

OK

A profile consists of three separate screens. If you want to configure just one screen for an IDP profile, click OK to save your settings to the Zyxel Device, complete the profile and return to the profile summary page.

Cancel

Click Cancel to return to the profile summary page without saving any changes.

Save

If you want to configure more than one screen for an IDP profile, click Save to save the configuration to the Zyxel Device, but remain in the same page. You may then go to another profile screen (tab) in order to complete the profile. Click OK in the final profile screen to complete the profile.

Access Control

Access control refers to procedures and controls that limit or detect access. Access control attacks try to bypass validation checks in order to access network resources such as servers, directories, and files.

Any

Any attack includes all other kinds of attacks that are not specified in the policy such as password, spoof, hijack, phishing, and close-in.

Backdoor/Trojan Horse

A backdoor (also called a trapdoor) is hidden software or a hardware mechanism that can be triggered to gain access to a program, online service or an entire computer system. A Trojan horse is a harmful program that is hidden inside apparently harmless programs or data.

Although a virus, a worm and a Trojan are different types of attacks, they can be blended into one attack. For example, W32/Blaster and W32/Sasser are blended attacks that feature a combination of a worm and a Trojan.

Buffer Overflow

A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. The excess information can overflow into adjacent buffers, corrupting or overwriting the valid data held in them.

Intruders could run codes in the overflow buffer region to obtain control of the system, install a backdoor or use the victim to launch attacks on other devices.

DoS/DDoS

The goal of Denial of Service (DoS) attacks is not to steal information, but to disable a device or network on the Internet.

A Distributed Denial of Service (DDoS) attack is one in which multiple compromised systems attack a single target, thereby causing denial of service for users of the targeted system.

Instant Messenger

IM (Instant Messenger) refers to chat applications. Chat is real-time, text-based communication between two or more users via networks-connected computers. After you enter a chat (or chat room), any room member can type a message that will appear on the monitors of all the other participants.

Mail

A Mail or E-mail bombing attack involves sending several thousand identical messages to an electronic mailbox in order to overflow it, making it unusable.

Misc

Miscellaneous attacks takes advantage of vulnerable computer networks and web servers by forcing cache servers or web browsers into disclosing user-specific information that might be sensitive and confidential. The most common type of Misc. attacks are HTTP Response Smuggling, HTTP Response Splitting and JSON Hijacking.

P2P

Peer-to-peer (P2P) is where computing devices link directly to each other and can directly initiate communication with each other; they do not need an intermediary. A device can be both the client and the server. In the Zyxel Device, P2P refers to peer-to-peer applications such as e-Mule, e-Donkey, BitTorrent, iMesh, etc.

Scan

A scan describes the action of searching a network for an exposed service. An attack may then occur once a vulnerability has been found. Scans occur on several network levels.

A network scan occurs at layer-3. For example, an attacker looks for network devices such as a router or server running in an IP network.

A scan on a protocol is commonly referred to as a layer-4 scan. For example, once an attacker has found a live end system, he looks for open ports.

A scan on a service is commonly referred to a layer-7 scan. For example, once an attacker has found an open port, say port 80 on a server, he determines that it is a HTTP service run by some web server application. He then uses a web vulnerability scanner (for example, Nikto) to look for documented vulnerabilities.

SPAM

Spam is unsolicited “junk” e-mail sent to large numbers of people to promote products or services.

Stream Media

A Stream Media attack occurs when a malicious network node downloads an overwhelming amount of media stream data that could potentially exhaust the entire system. This method allows users to send small requests messages that result in the streaming of large media objects, providing an opportunity for malicious users to exhaust resources in the system with little effort expended on their part.

Tunnel

A Tunneling attack involves sending IPv6 traffic over IPv4, slipping viruses, worms and spyware through the network using secret tunnels. This method infiltrates standard security measures through IPv6 tunnels, passing through IPv4 undetected. An external signal then activates the malicious files to wreak havoc from inside the network.

Virus/Worm

A computer virus is a small program designed to corrupt and/or alter the operation of other legitimate programs. A worm is a program that is designed to copy itself from one computer to another on a network. A worm’s uncontrolled replication consumes system resources, thus slowing or stopping other tasks.

Web Attack

Web attacks refer to attacks on web servers such as IIS (Internet Information Services).

WEB_PHP

WEB_MISC

WEB_IIS

WEB_FRONTPAGE

WEB_CGI

WEB_ATTACKS

TFTP

TELNET

SQL

SNMP

SMTP

RSERVICES

RPC

POP3

POP2

P2P

ORACLE

NNTP

NETBIOS

MYSQL

MISC_EXPLOIT

MISC_DDOS

MISC_BACKDOOR

MISC

IMAP

IM

ICMP

FTP

FINGER

DNS

n/a

 

Name

This is the name of the profile that you created in the IDP > Profiles > Group View screen.

Switch to query view

Click this button to go to the IDP profile group view screen where IDP signatures are grouped by service and you can configure activation, logs and/or actions.

Query Signatures

Select the criteria on which to perform the search.

Select this check box to include signatures you created or imported in the Custom Signatures screen in the search. You can search for specific signatures by name or ID. If the name and ID fields are left blank, then all signatures are searched according to the criteria you select.

Type the name or part of the name of the signature(s) you want to find.

Type the ID or part of the ID of the signature(s) you want to find.

Search for signatures by severity level(s). Hold down the [Ctrl] key if you want to make multiple selections.

These are the severities as defined in the Zyxel Device. The number in brackets is the number you use if using commands.

Severe (5): These denote attacks that try to run arbitrary code or gain system privileges.

High (4): These denote known serious vulnerabilities or attacks that are probably not false alarms.

Medium (3): These denote medium threats, access control attacks or attacks that could be false alarms.

Low (2): These denote mild threats or attacks that could be false alarms.

Very-Low (1): These denote possible attacks caused by traffic such as Ping, trace route, ICMP queries etc.

Search for signatures by attack type(s) . Attack types are known as policy types in the group view screen. Hold down the [Ctrl] key if you want to make multiple selections.

Search for signatures created to prevent intrusions targeting specific operating system(s). Hold down the [Ctrl] key if you want to make multiple selections.

Search for signatures by IDP service group(s). Hold down the [Ctrl] key if you want to make multiple selections.

Search for signatures by the response the Zyxel Device takes when a packet matches a signature. Hold down the [Ctrl] key if you want to make multiple selections.

Search for activated and/or inactivated signatures here.

Search for signatures by log option here.

Search

Click this button to begin the search. The results display at the bottom of the screen. Results may be spread over several pages depending on how broad the search criteria selected were. The tighter the criteria selected, the fewer the signatures returned.

Query Result

The results are displayed in a table showing the SID, Name, Severity, Attack Type, Platform, Service, Activation, Log, and Action criteria as selected in the search. Click the SID column header to sort search results by signature ID.

OK

Click OK to save your settings to the Zyxel Device, complete the profile and return to the profile summary page.

Cancel

Click Cancel to return to the profile summary page without saving any changes.

Save

Click Save to save the configuration to the Zyxel Device, but remain in the same page. You may then go to the another profile screen (tab) in order to complete the profile. Click OK in the final profile screen to complete the profile.

Version

The value 4 indicates IP version 4.

IHL

IP Header Length is the number of 32 bit words forming the total length of the header (usually five).

Type of Service

The Type of Service, (also known as Differentiated Services Code Point (DSCP)) is usually set to 0, but may indicate particular quality of service needs from the network.

Total Length

This is the size of the datagram in bytes. It is the combined length of the header and the data.

Identification

This is a 16-bit number, which together with the source address, uniquely identifies this packet. It is used during reassembly of fragmented datagrams.

Flags

Flags are used to control whether routers are allowed to fragment a packet and to indicate the parts of a packet to the receiver.

Fragment Offset

This is a byte count from the start of the original sent packet.

Time To Live

This is a counter that decrements every time it passes through a router. When it reaches zero, the datagram is discarded. It is used to prevent accidental routing loops.

Protocol

The protocol indicates the type of transport packet being carried, for example, 1 = ICMP; 2= IGMP; 6 = TCP; 17= UDP.

Header Checksum

This is used to detect processing errors introduced into the packet inside a router or bridge where the packet is not protected by a link layer cyclic redundancy check. Packets with an invalid checksum are discarded by all nodes in an IP network.

Source IP Address

This is the IP address of the original sender of the packet.

Destination IP Address

This is the IP address of the final destination of the packet.

Options

IP options is a variable-length list of IP options for a datagram that define IP Security Option, IP Stream Identifier, (security and handling restrictions for the military), Record Route (have each router record its IP address), Loose Source Routing (specifies a list of IP addresses that must be traversed by the datagram), Strict Source Routing (specifies a list of IP addresses that must ONLY be traversed by the datagram), Timestamp (have each router record its IP address and time), End of IP List and No IP Options.

Padding

Padding is used as a filler to ensure that the IP packet is a multiple of 32 bits.

Custom Signature Rules

Use this part of the screen to create, edit, delete or export (save to your computer) custom signatures.

Click this to create a new entry.

Select an entry and click this to be able to modify it.

Select an entry and click this to delete it.

To save an entry or entries as a file on your computer, select them and click Export. Click Save in the file download dialog box and then select a location and name for the file.

Custom signatures must end with the ‘rules’ file name extension, for example, MySig.rules.

This is the entry’s index number in the list.

SID is the signature ID that uniquely identifies a signature. Click the SID header to sort signatures in ascending or descending order. It is automatically created when you click the Add icon to create a new signature. You can edit the ID, but it cannot already exist and it must be in the 9000000 to 9999999 range.

This is the name of your custom signature. Duplicate names can exist, but it is advisable to use unique signature names that give some hint as to intent of the signature and the type of attack it is supposed to prevent.

Customer Signature Rule Importing

Use this part of the screen to import custom signatures (previously saved to your computer) to the Zyxel Device.

Type the file path and name of the custom signature file you want to import in the text box (or click Browse to find it on your computer) and then click Importing to transfer the file to the Zyxel Device.

New signatures then display in the Zyxel Device IDP > Custom Signatures screen.

Name

Type the name of your custom signature. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.

Duplicate names can exist but it is advisable to use unique signature names that give some hint as to intent of the signature and the type of attack it is supposed to prevent. Refer to (but do not copy) the packet inspection signature names for hints on creating a naming convention.

Signature ID

A signature ID is automatically created when you click the Add icon to create a new signature. You can edit the ID to create a new one (in the 9000000 to 9999999 range), but you cannot use one that already exists. You may want to do that if you want to order custom signatures by SID.

Information

Use the following fields to set general information about the signature as denoted below.

The severity level denotes how serious the intrusion is. Categorize the seriousness of the intrusion here.

Some intrusions target specific operating systems only. Select the operating systems that the intrusion targets, that is, the operating systems you want to protect from this intrusion. SGI refers to Silicon Graphics Incorporated, who manufactures multi-user Unix workstations that run the IRIX operating system (SGI's version of UNIX). A router is an example of a network device.

Select the IDP service group that the intrusion exploits or targets. The custom signature then appears in that group in the IDP > Profile > Group View screen.

Categorize the attack type here.

Frequency

Recurring packets of the same type may indicate an attack. Use the following field to indicate how many packets per how many seconds constitute an intrusion

Select Threshold and then type how many packets (that meet the criteria in this signature) per how many seconds constitute an intrusion.

Header Options

 

Network Protocol

Configure signatures for IP version 4.

Type of service in an IP header is used to specify levels of speed and/or reliability. Some intrusions use an invalid Type Of Service number. Select the check box, then select Equal or Not-Equal and then type in a number.

The identification field in a datagram uniquely identifies the datagram. If a datagram is fragmented, it contains a value that identifies the datagram to which the fragment belongs. Some intrusions use an invalid Identification number. Select the check box and then type in the invalid number that the intrusion uses.

A fragmentation flag identifies whether the IP datagram should be fragmented, not fragmented or is a reserved bit. Some intrusions can be identified by this flag. Select the check box and then select the flag that the intrusion uses.

When an IP datagram is fragmented, it is reassembled at the final destination. The fragmentation offset identifies where the fragment belongs in a set of fragments. Some intrusions use an invalid Fragment Offset number. Select the check box, select Equal, Smaller or Greater and then type in a number

Time to Live is a counter that decrements every time it passes through a router. When it reaches zero, the datagram is discarded. Usually it’s used to set an upper limit on the number of routers a datagram can pass through. Some intrusions can be identified by the number in this field. Select the check box, select Equal, Smaller or Greater and then type in a number.

IP Options

IP options is a variable-length list of IP options for a datagram that define IP Security Option, IP Stream Identifier, (security and handling restrictions for the military), Record Route (have each router record its IP address), Loose Source Routing (specifies a list of IP addresses that must be traversed by the datagram), Strict Source Routing (specifies a list of IP addresses that must ONLY be traversed by the datagram), Timestamp (have each router record its IP address and time), End of IP List and No IP Options. IP Options can help identify some intrusions. Select the check box, then select an item from the list box that the intrusion uses

Same IP

Select the check box for the signature to check for packets that have the same source and destination IP addresses.

Transport Protocol

The following fields vary depending on whether you choose TCP, UDP or ICMP.

Transport Protocol: TCP

 

Select the check box and then enter the source and destination TCP port numbers that will trigger this signature.

If selected, the signature only applies to certain directions of the traffic flow and only to clients or servers. Select Flow and then select the identifying options.

Established: The signature only checks for established TCP connections

Stateless: The signature is triggered regardless of the state of the stream processor (this is useful for packets that are designed to cause devices to crash)

To Client: The signature only checks for server responses from A to B.

To Server: The signature only checks for client requests from B to A.

From Client: The signature only checks for client requests from B to A.

From Servers: The signature only checks for server responses from A to B.

No Stream: The signature does not check rebuilt stream packets.

Only Stream: The signature only checks rebuilt stream packets.

Select what TCP flag bits the signature should check.

Use this field to check for a specific TCP sequence number.

Use this field to check for a specific TCP acknowledgment number.

Use this field to check for a specific TCP window size.

Transport Protocol: UDP

 

Select the check box and then enter the source and destination UDP port numbers that will trigger this signature.

Transport Protocol: ICMP

 

Use this field to check for a specific ICMP type value.

Use this field to check for a specific ICMP code value.

Use this field to check for a specific ICMP ID value. This is useful for covert channel programs that use static ICMP fields when they communicate.

Use this field to check for a specific ICMP sequence number. This is useful for covert channel programs that use static ICMP fields when they communicate.

Payload Options

The longer a payload option is, the more exact the match, the faster the signature processing. Therefore, if possible, it is recommended to have at least one payload option in your signature.

This field may be used to check for abnormally sized packets or for detecting buffer overflows.

Select the check box, then select Equal, Smaller or Greater and then type the payload size.

Stream rebuilt packets are not checked regardless of the size of the payload.

Click this to create a new entry.

Select an entry and click this to be able to modify it.

Select an entry and click this to delete it.

This is the entry’s index number in the list.

This field specifies where to start searching for a pattern within a packet. For example, an offset of 5 would start looking for the specified pattern after the first five bytes of the payload.

Type the content that the signature should search for in the packet payload. Hexadecimal code entered between pipes is converted to ASCII. For example, you could represent the ampersand as either & or |26| (26 is the hexadecimal code for the ampersand).

Select Yes if content casing does NOT matter.

A Uniform Resource Identifier (URI) is a string of characters for identifying an abstract or physical resource (RFC 2396). A resource can be anything that has identity, for example, an electronic document, an image, a service (“today's weather report for Taiwan”), a collection of other resources. An identifier is an object that can act as a reference to something that has identity. Example URIs are:

ftp://ftp.is.co.za/rfc/rfc1808.txt; ftp scheme for File Transfer Protocol services

http://www.math.uio.no/faq/compression-faq/part1.html; http scheme for Hypertext Transfer Protocol services

mailto:mduerst@ifi.unizh.ch; mailto scheme for electronic mail addresses

telnet://melvyl.ucop.edu/; telnet scheme for interactive services via the TELNET Protocol

Select Yes for the signature to search for normalized URI fields. This means that if you are writing signatures that includes normalized content, such as %2 for directory traversals, these signatures will not be triggered because the content is normalized out of the URI buffer.

For example, the URI:

/scripts/..%c0%af../winnt/system32/cmd.exe?/c+ver

will get normalized into:

/winnt/system32/cmd.exe?/c+ver

OK

Click this button to save your changes to the Zyxel Device and return to the summary screen.

Cancel

Click this button to return to the summary screen without saving any changes.