General Settings

 

Select this check box to activate the IDP feature which detects and prevents malicious or suspicious packets and responds instantaneously.

Query Signatures

 

Type the name or part of the name of the signature(s) you want to find.

Type the ID or part of the ID of the signature(s) you want to find.

Select this check box to include signatures you created or imported in the Custom Signatures screen in the search. You can search for specific signatures by name or ID. If the name and ID fields are left blank, then all signatures are searched according to the criteria you select.

Search for signatures by severity level(s). Hold down the [Ctrl] key if you want to make multiple selections.

These are the severities as defined in the Zyxel Device. The number in brackets is the number you use if using commands.

Severe (5): These denote attacks that try to run arbitrary code or gain system privileges.

High (4): These denote known serious vulnerabilities or attacks that are probably not false alarms.

Medium (3): These denote medium threats, access control attacks or attacks that could be false alarms.

Low (2): These denote mild threats or attacks that could be false alarms.

Very-Low (1): These denote possible attacks caused by traffic such as Ping, trace route, ICMP queries etc.

Search for signatures by attack type(s) . Attack types are known as policy types in the group view screen. Hold down the [Ctrl] key if you want to make multiple selections.

Search for signatures created to prevent intrusions targeting specific operating system(s). Hold down the [Ctrl] key if you want to make multiple selections.

Search for signatures by IDP service group(s). Hold down the [Ctrl] key if you want to make multiple selections.

Search for signatures by the response the Zyxel Device takes when a packet matches a signature.Hold down the [Ctrl] key if you want to make multiple selections.

Search for activated and/or inactivated signatures here.

Search for signatures by log option here.

Query Result

The results are displayed in a table showing the SID, Name, Severity, Classification Type, Platform, Service, Log, and Action criteria as selected in the search. Click the SID column header to sort search results by signature ID.

Custom Signature Rules

Use this part of the screen to create, edit, delete or export (save to your computer) custom signatures.

Click this to create a new entry.

Select an entry and click this to be able to modify it.

Select an entry and click this to delete it.

To save an entry or entries as a file on your computer, select them and click Export. Click Save in the file download dialog box and then select a location and name for the file.

Custom signatures must end with the ‘rules’ file name extension, for example, MySig.rules.

This is the entry’s index number in the list.

SID is the signature ID that uniquely identifies a signature. Click the SID header to sort signatures in ascending or descending order. It is automatically created when you click the Add icon to create a new signature. You can edit the ID, but it cannot already exist and it must be in the 9000000 to 9999999 range.

This is the name of your custom signature. Duplicate names can exist, but it is advisable to use unique signature names that give some hint as to intent of the signature and the type of attack it is supposed to prevent.

Customer Signature Rule Importing

Use this part of the screen to import custom signatures (previously saved to your computer) to the Zyxel Device.

Type the file path and name of the custom signature file you want to import in the text box (or click Browse to find it on your computer) and then click Importing to transfer the file to the Zyxel Device.

New signatures then display in the Zyxel Device IDP > Custom Signatures screen.

Signature Information

The following fields display information on the current signature set that the Zyxel Device is using.

This field displays the IDP signature set version number. This number gets larger as the set is enhanced.

This field displays the number of IDP signatures in this set. This number usually gets larger as the set is enhanced. Older signatures and rules may be removed if they are no longer applicable or have been supplanted by newer ones.

This field displays the date and time the set was released.

Click this link to go to the screen you can use to download signatures from the update server.

Apply

Click Apply to save your changes back to the Zyxel Device.

Reset

Click Reset to return the screen to its last-saved settings.

Access Control

Access control refers to procedures and controls that limit or detect access. Access control attacks try to bypass validation checks in order to access network resources such as servers, directories, and files.

Any

Any attack includes all other kinds of attacks that are not specified in the policy such as password, spoof, hijack, phishing, and close-in.

Backdoor/Trojan Horse

A backdoor (also called a trapdoor) is hidden software or a hardware mechanism that can be triggered to gain access to a program, online service or an entire computer system. A Trojan horse is a harmful program that is hidden inside apparently harmless programs or data.

Although a virus, a worm and a Trojan are different types of attacks, they can be blended into one attack. For example, W32/Blaster and W32/Sasser are blended attacks that feature a combination of a worm and a Trojan.

BotNet

A Botnet is a number of Internet computers that have been set up to forward transmissions including spam or viruses to other computers on the Internet though their owners are unaware of it. It is also a collection of Internet-connected programs communicating with other similar programs in order to perform tasks and participate in distributed Denial-Of-Service attacks.

Buffer Overflow

A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. The excess information can overflow into adjacent buffers, corrupting or overwriting the valid data held in them.

Intruders could run codes in the overflow buffer region to obtain control of the system, install a backdoor or use the victim to launch attacks on other devices.

DoS/DDoS

The goal of Denial of Service (DoS) attacks is not to steal information, but to disable a device or network on the Internet.

A Distributed Denial of Service (DDoS) attack is one in which multiple compromised systems attack a single target, thereby causing denial of service for users of the targeted system.

Instant Messenger

IM (Instant Messenger) refers to chat applications. Chat is real-time, text-based communication between two or more users via networks-connected computers. After you enter a chat (or chat room), any room member can type a message that will appear on the monitors of all the other participants.

Mail

A Mail or email bombing attack involves sending several thousand identical messages to an electronic mailbox in order to overflow it, making it unusable.

Misc

Miscellaneous attacks takes advantage of vulnerable computer networks and web servers by forcing cache servers or web browsers into disclosing user-specific information that might be sensitive and confidential. The most common type of Misc. attacks are HTTP Response Smuggling, HTTP Response Splitting and JSON Hijacking.

P2P

Peer-to-peer (P2P) is where computing devices link directly to each other and can directly initiate communication with each other; they do not need an intermediary. A device can be both the client and the server. In the Zyxel Device, P2P refers to peer-to-peer applications such as e-Mule, e-Donkey, BitTorrent, iMesh, etc.

Scan

A scan describes the action of searching a network for an exposed service. An attack may then occur once a vulnerability has been found. Scans occur on several network levels.

A network scan occurs at layer-3. For example, an attacker looks for network devices such as a router or server running in an IP network.

A scan on a protocol is commonly referred to as a layer-4 scan. For example, once an attacker has found a live end system, he looks for open ports.

A scan on a service is commonly referred to a layer-7 scan. For example, once an attacker has found an open port, say port 80 on a server, he determines that it is a HTTP service run by some web server application. He then uses a web vulnerability scanner (for example, Nikto) to look for documented vulnerabilities.

SPAM

Spam is unsolicited “junk” email sent to large numbers of people to promote products or services.

Stream Media

A Stream Media attack occurs when a malicious network node downloads an overwhelming amount of media stream data that could potentially exhaust the entire system. This method allows users to send small requests messages that result in the streaming of large media objects, providing an opportunity for malicious users to exhaust resources in the system with little effort expended on their part.

Tunnel

A Tunneling attack involves sending IPv6 traffic over IPv4, slipping viruses, worms and spyware through the network using secret tunnels. This method infiltrates standard security measures through IPv6 tunnels, passing through IPv4 undetected. An external signal then triggers the malware to spring to life and wreak havoc from inside the network.

Virus/Worm

A computer virus is a small program designed to corrupt and/or alter the operation of other legitimate programs. A worm is a program that is designed to copy itself from one computer to another on a network. A worm’s uncontrolled replication consumes system resources, thus slowing or stopping other tasks.

Web Attack

Web attacks refer to attacks on web servers such as IIS (Internet Information Services).

WEB_PHP

WEB_MISC

WEB_IIS

WEB_FRONTPAGE

WEB_CGI

WEB_ATTACKS

TFTP

TELNET

SQL

SNMP

SMTP

RSERVICES

RPC

POP3

POP2

P2P

ORACLE

NNTP

NETBIOS

MYSQL

MISC_EXPLOIT

MISC_DDOS

MISC_BACKDOOR

MISC

IMAP

IM

ICMP

FTP

FINGER

DNS

n/a

 

Version

The value 4 indicates IP version 4.

IHL

IP Header Length is the number of 32 bit words forming the total length of the header (usually five).

Type of Service

The Type of Service, (also known as Differentiated Services Code Point (DSCP)) is usually set to 0, but may indicate particular quality of service needs from the network.

Total Length

This is the size of the datagram in bytes. It is the combined length of the header and the data.

Identification

This is a 16-bit number, which together with the source address, uniquely identifies this packet. It is used during reassembly of fragmented datagrams.

Flags

Flags are used to control whether routers are allowed to fragment a packet and to indicate the parts of a packet to the receiver.

Fragment Offset

This is a byte count from the start of the original sent packet.

Time To Live

This is a counter that decrements every time it passes through a router. When it reaches zero, the datagram is discarded. It is used to prevent accidental routing loops.

Protocol

The protocol indicates the type of transport packet being carried, for example, 1 = ICMP; 2= IGMP; 6 = TCP; 17= UDP.

Header Checksum

This is used to detect processing errors introduced into the packet inside a router or bridge where the packet is not protected by a link layer cyclic redundancy check. Packets with an invalid checksum are discarded by all nodes in an IP network.

Source IP Address

This is the IP address of the original sender of the packet.

Destination IP Address

This is the IP address of the final destination of the packet.

Options

IP options is a variable-length list of IP options for a datagram that define IP Security Option, IP Stream Identifier, (security and handling restrictions for the military), Record Route (have each router record its IP address), Loose Source Routing (specifies a list of IP addresses that must be traversed by the datagram), Strict Source Routing (specifies a list of IP addresses that must ONLY be traversed by the datagram), Timestamp (have each router record its IP address and time), End of IP List and No IP Options.

Padding

Padding is used as a filler to ensure that the IP packet is a multiple of 32 bits.

Name

Type the name of this custom signature. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.

Duplicate names can exist but it is advisable to use unique signature names that give some hint as to intent of the signature and the type of attack it is supposed to prevent. Refer to (but do not copy) the packet inspection signature names for hints on creating a naming convention.

Signature ID

A signature ID is automatically created when you click the Add icon to create a new signature. You can edit the ID to create a new one (in the 9000000 to 9999999 range), but you cannot use one that already exists. You may want to do that if you want to order custom signatures by SID.

Information

Use the following fields to set general information about the signature as denoted below.

The severity level denotes how serious the intrusion is. Categorize the seriousness of the intrusion here.

Some intrusions target specific operating systems only. Select the operating systems that the intrusion targets, that is, the operating systems you want to protect from this intrusion. SGI refers to Silicon Graphics Incorporated, who manufactures multi-user Unix workstations that run the IRIX operating system (SGI's version of UNIX). A router is an example of a network device.

Categorize the attack type here.

Frequency

Recurring packets of the same type may indicate an attack. Use the following field to indicate how many packets per how many seconds constitute an intrusion

Select Threshold and then type how many packets (that meet the criteria in this signature) per how many seconds constitute an intrusion.

Header Options

 

Network Protocol

Configure signatures for IP version 4.

Type of service in an IP header is used to specify levels of speed and/or reliability. Some intrusions use an invalid Type Of Service number. Select the check box, then select Equal or Not-Equal and then type in a number.

The identification field in a datagram uniquely identifies the datagram. If a datagram is fragmented, it contains a value that identifies the datagram to which the fragment belongs. Some intrusions use an invalid Identification number. Select the check box and then type in the invalid number that the intrusion uses.

A fragmentation flag identifies whether the IP datagram should be fragmented, not fragmented or is a reserved bit. Some intrusions can be identified by this flag. Select the check box and then select the flag that the intrusion uses.

When an IP datagram is fragmented, it is reassembled at the final destination. The fragmentation offset identifies where the fragment belongs in a set of fragments. Some intrusions use an invalid Fragment Offset number. Select the check box, select Equal, Smaller or Greater and then type in a number

Time to Live is a counter that decrements every time it passes through a router. When it reaches zero, the datagram is discarded. Usually it’s used to set an upper limit on the number of routers a datagram can pass through. Some intrusions can be identified by the number in this field. Select the check box, select Equal, Smaller or Greater and then type in a number.

IP Options

IP options is a variable-length list of IP options for a datagram that define IP Security Option, IP Stream Identifier, (security and handling restrictions for the military), Record Route (have each router record its IP address), Loose Source Routing (specifies a list of IP addresses that must be traversed by the datagram), Strict Source Routing (specifies a list of IP addresses that must ONLY be traversed by the datagram), Timestamp (have each router record its IP address and time), End of IP List and No IP Options. IP Options can help identify some intrusions. Select the check box, then select an item from the list box that the intrusion uses

Same IP

Select the check box for the signature to check for packets that have the same source and destination IP addresses.

Transport Protocol

The following fields vary depending on whether you choose TCP, UDP or ICMP.

Transport Protocol: TCP

 

Select the check box and then enter the source and destination TCP port numbers that will trigger this signature.

The selected keyword sets the criteria as to which traffic is matched. You can match traffic based on direction or whether the connection is established or not. You can also specify whether you want to match signatures per packet or in a stream of packets.

Established: Match established connections.

Stateless: Match packets that are not part of an established connection.

To Client: Match packets that flow from server to client..

To Server: Match packets that flow from client to server.

From Client: Match packets that flow from client to server.

From Servers: Match packets that flow from server to client.

No Stream: Match packets that have not been reassembled by the stream engine. It will not match packets that have been reassembled.

Only Stream: Match packets that have been reassembled.

Select what TCP flag bits the signature should check.

Use this field to check for a specific TCP sequence number.

Use this field to check for a specific TCP acknowledgment number.

Use this field to check for a specific TCP window size.

Transport Protocol: UDP

 

Select the check box and then enter the source and destination UDP port numbers that will trigger this signature.

Transport Protocol: ICMP

 

Use this field to check for a specific ICMP type value.

Use this field to check for a specific ICMP code value.

Use this field to check for a specific ICMP ID value. This is useful for covert channel programs that use static ICMP fields when they communicate.

Use this field to check for a specific ICMP sequence number. This is useful for covert channel programs that use static ICMP fields when they communicate.

Payload Options

The longer a payload option is, the more exact the match, the faster the signature processing. Therefore, if possible, it is recommended to have at least one payload option in your signature.

This field may be used to check for abnormally sized packets or for detecting buffer overflows.

Select the check box, then select Equal, Smaller or Greater and then type the payload size.

Stream rebuilt packets are not checked regardless of the size of the payload.

Click this to create a new entry.

Select an entry and click this to be able to modify it.

Select an entry and click this to delete it.

This is the entry’s index number in the list.

This field specifies where to start searching for a pattern within a packet. For example, an offset of 5 would start looking for the specified pattern after the first five bytes of the payload.

Type the content that the signature should search for in the packet payload. Hexadecimal code entered between pipes is converted to ASCII. For example, you could represent the ampersand as either & or |26| (26 is the hexadecimal code for the ampersand).

Select Yes if content casing does NOT matter.

A Uniform Resource Identifier (URI) is a string of characters for identifying an abstract or physical resource (RFC 2396). A resource can be anything that has identity, for example, an electronic document, an image, a service (“today's weather report for Taiwan”), a collection of other resources. An identifier is an object that can act as a reference to something that has identity. Example URIs are:

ftp://ftp.is.co.za/rfc/rfc1808.txt; ftp scheme for File Transfer Protocol services

http://www.math.uio.no/faq/compression-faq/part1.html; http scheme for Hypertext Transfer Protocol services

mailto:mduerst@ifi.unizh.ch; mailto scheme for electronic mail addresses

telnet://melvyl.ucop.edu/; telnet scheme for interactive services via the TELNET Protocol

Select Yes for the signature to search for normalized URI fields. This means that if you are writing signatures that includes normalized content, such as %2 for directory traversals, these signatures will not be triggered because the content is normalized out of the URI buffer.

For example, the URI:

/scripts/..%c0%af../winnt/system32/cmd.exe?/c+ver

will get normalized into:

/winnt/system32/cmd.exe?/c+ver

OK

Click this button to save your changes to the Zyxel Device and return to the summary screen.

Cancel

Click this button to return to the summary screen without saving any changes.

White List Settings

Add

Click this to create a new entry.

Edit

Select an entry and click this to be able to modify it.

Remove

Select an entry and click this to delete it.

#

This is the entry’s index number in the list.

Signature ID

This field displays the signature ID of this entry.

Signature Name

This field displays the signature name of this entry.

Apply

Click Apply to save your changes back to the Zyxel Device.

Reset

Click Reset to return the screen to its last-saved settings.

Add

Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry.

Edit

Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.

Remove

Select an entry and click Remove to delete the selected entry.

#

This field is a sequential value showing the number of the profile. The profile order is not important.

Name

This displays the name of the profile created.

Description

This displays the description of the profile.

Configuration

 

Type the name of the profile. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. These are valid, unique profile names:

These are invalid profile names:

Description

Type a description for the profile rule to help identify the purpose of rule. You may use 1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. This field is optional.

Query Signatures

 

Type the name or part of the name of the signature(s) you want to find.

Type the ID or part of the ID of the signature(s) you want to find.

Select this check box to include signatures you created or imported in the Custom Signatures screen in the search. You can search for specific signatures by name or ID. If the name and ID fields are left blank, then all signatures are searched according to the criteria you select.

Search for signatures by severity level(s). Hold down the [Ctrl] key if you want to make multiple selections.

These are the severities as defined in the Zyxel Device. The number in brackets is the number you use if using commands.

Severe (5): These denote attacks that try to run arbitrary code or gain system privileges.

High (4): These denote known serious vulnerabilities or attacks that are probably not false alarms.

Medium (3): These denote medium threats, access control attacks or attacks that could be false alarms.

Low (2): These denote mild threats or attacks that could be false alarms.

Very-Low (1): These denote possible attacks caused by traffic such as Ping, trace route, ICMP queries etc.

Search for signatures by attack type(s) . Attack types are known as policy types in the group view screen. Hold down the [Ctrl] key if you want to make multiple selections.

Search for signatures created to prevent intrusions targeting specific operating system(s). Hold down the [Ctrl] key if you want to make multiple selections.

Search for signatures by IDP service group(s). Hold down the [Ctrl] key if you want to make multiple selections.

Search for signatures by the response the Zyxel Device takes when a packet matches a signature.Hold down the [Ctrl] key if you want to make multiple selections.

Search for activated and/or inactivated signatures here.

Search for signatures by log option here.

Query Result

The results are displayed in a table showing the SID, Name, Severity, Classification Type, Platform, Service, Log, and Action criteria as selected in the search. Click the SID column header to sort search results by signature ID.

OK

Click OK to save your changes back to the Zyxel Device.

Cancel

Click Cancel to exit this screen without saving.

General Settings

 

Select this check box to activate the IDP feature which detects and prevents malicious or suspicious packets and responds instantaneously.

Inspect all traffic, setting:

Select this to have all traffic inspected by the default_profile. You cannot rename or delete the default_profile profile, but you can edit it by clicking the link here.

Inspect by policy

If you configured a specific profile in the Profile tab for this service, select this to have specific traffic inspected by that profile. You must bind the profile to a policy in Security Policy > Policy Control.

Custom Signature Rules

Use this part of the screen to create, edit, delete or export (save to your computer) custom signatures.

Click this to create a new entry.

Select an entry and click this to be able to modify it.

Select an entry and click this to delete it.

To save an entry or entries as a file on your computer, select them and click Export. Click Save in the file download dialog box and then select a location and name for the file.

Custom signatures must end with the ‘rules’ file name extension, for example, MySig.rules.

This is the entry’s index number in the list.

SID is the signature ID that uniquely identifies a signature. Click the SID header to sort signatures in ascending or descending order. It is automatically created when you click the Add icon to create a new signature. You can edit the ID, but it cannot already exist and it must be in the 9000000 to 9999999 range.

This is the name of your custom signature. Duplicate names can exist, but it is advisable to use unique signature names that give some hint as to intent of the signature and the type of attack it is supposed to prevent.

Customer Signature Rule Importing

Use this part of the screen to import custom signatures (previously saved to your computer) to the Zyxel Device.

Type the file path and name of the custom signature file you want to import in the text box (or click Browse to find it on your computer) and then click Importing to transfer the file to the Zyxel Device.

New signatures then display in the Zyxel Device IDP > Custom Signatures screen.

Signature Information

The following fields display information on the current signature set that the Zyxel Device is using.

This field displays the IDP signature set version number. This number gets larger as the set is enhanced.

This field displays the number of IDP signatures in this set. This number usually gets larger as the set is enhanced. Older signatures and rules may be removed if they are no longer applicable or have been supplanted by newer ones.

This field displays the date and time the set was released.

Click this link to go to the screen you can use to download signatures from the update server.

Apply

Click Apply to save your changes back to the Zyxel Device.

Reset

Click Reset to return the screen to its last-saved settings.