Chapter 30 IDP

Table 151 Configuration > Anti-X > IDP > Custom Signatures > Add/Edit (continued)

LABEL

DESCRIPTION

Payload Size

This field may be used to check for abnormally sized packets or for

 

detecting buffer overflows.

 

Select the check box, then select Equal, Smaller or Greater and

 

then type the payload size.

 

Stream rebuilt packets are not checked regardless of the size of the

 

payload.

 

 

Add

Click this to create a new entry.

 

 

Edit

Select an entry and click this to be able to modify it.

 

 

Remove

Select an entry and click this to delete it.

 

 

#

This is the entry’s index number in the list.

 

 

Offset

This field specifies where to start searching for a pattern within a

 

packet. For example, an offset of 5 would start looking for the

 

specified pattern after the first five bytes of the payload.

 

 

Content

Type the content that the signature should search for in the packet

 

payload. Hexadecimal code entered between pipes is converted to

 

ASCII. For example, you could represent the ampersand as either &

 

or 26 (26 is the hexadecimal code for the ampersand).

 

 

Case-

Select Yes if content casing does NOT matter.

insensitive

 

 

 

Decode as URI

A Uniform Resource Identifier (URI) is a string of characters for

 

identifying an abstract or physical resource (RFC 2396). A resource

 

can be anything that has identity, for example, an electronic

 

document, an image, a service (“today's weather report for Taiwan”),

 

a collection of other resources. An identifier is an object that can act

 

as a reference to something that has identity. Example URIs are:

 

ftp://ftp.is.co.za/rfc/rfc1808.txt; ftp scheme for File Transfer Protocol

 

services

 

http://www.math.uio.no/faq/compression-faq/part1.html; http

 

scheme for Hypertext Transfer Protocol services

 

mailto:mduerst@ifi.unizh.ch; mailto scheme for electronic mail

 

addresses

 

telnet://melvyl.ucop.edu/; telnet scheme for interactive services via

 

the TELNET Protocol

 

Select Yes for the signature to search for normalized URI fields. This

 

means that if you are writing signatures that includes normalized

 

content, such as %2 for directory traversals, these signatures will not

 

be triggered because the content is normalized out of the URI buffer.

 

For example, the URI:

 

/scripts/..%c0%af../winnt/system32/cmd.exe?/c+ver

 

will get normalized into:

 

/winnt/system32/cmd.exe?/c+ver

 

 

 

505

ZyWALL USG 50 User’s Guide