Chapter 30 IDP

Network Intrusions

Network-based intrusions have the goal of bringing down a network or networks by attacking computer(s), switch(es), router(s) or modem(s). If a LAN switch is compromised for example, then the whole LAN is compromised. Host-based intrusions may be used to cause network-based intrusions when the goal of the host virus is to propagate attacks on the network, or attack computer/server operating system vulnerabilities with the goal of bringing down the computer/ server. Typical “network-based intrusions” are SQL slammer, Blaster, Nimda MyDoom etc.

Snort Signatures

You may want to refer to open source Snort signatures when creating custom ZyWALL ones. Most Snort rules are written in a single line. Snort rules are divided into two logical sections, the rule header and the rule options as shown in the following example:

alert tcp any any -> 192.168.1.0/24 111 (content:”00 01 a5”; msg:”mountd access”;)

The text up to the first parenthesis is the rule header and the section enclosed in parenthesis contains the rule options. The words before the colons in the rule options section are the option keywords.

The rule header contains the rule's:

Action

Protocol

Source and destination IP addresses and netmasks

Source and destination ports information.

The rule option section contains alert messages and information on which parts of the packet should be inspected to determine if the rule action should be taken.

These are some equivalent Snort terms in the ZyWALL.

Table 152 ZyWALL - Snort Equivalent Terms

ZYWALL TERM

SNORT EQUIVALENT TERM

Type Of Service

tos

 

 

Identification

id

 

 

Fragmentation

fragbits

 

 

Fragmentation Offset

fragoffset

 

 

Time to Live

ttl

 

 

IP Options

ipopts

 

 

 

511

ZyWALL USG 50 User’s Guide