ZyXEL Communications USG 2000 manual 588

LABEL

DESCRIPTION

Flow

If selected, the signature only applies to certain directions of the

traffic flow and only to clients or servers. Select Flow and then select

the identifying options.

Established: The signature only checks for established TCP

connections

Stateless: The signature is triggered regardless of the state of the

stream processor (this is useful for packets that are designed to

cause devices to crash)

To Client: The signature only checks for server responses from A to

B.

To Server: The signature only checks for client requests from B to A.

From Client:.The signature only checks for client requests from B to

A.

From Servers: The signature only checks for server responses from

A to B.

No Stream: The signature does not check rebuilt stream packets.

Only Stream: The signature only checks rebuilt stream packets.

Flags

Select what TCP flag bits the signature should check.

Sequence

Use this field to check for a specific TCP sequence number.

Number

Ack Number

Use this field to check for a specific TCP acknowledgement number.

Window Size

Use this field to check for a specific TCP window size.

Transport

Protocol: UDP

Port

Select the check box and then enter the source and destination UDP

port numbers that will trigger this signature.

Transport

Protocol: ICMP

Type

Use this field to check for a specific ICMP type value.

Code

Use this field to check for a specific ICMP code value.

ID

Use this field to check for a specific ICMP ID value. This is useful for

covert channel programs that use static ICMP fields when they

communicate.

Sequence

Use this field to check for a specific ICMP sequence number. This is

Number

useful for covert channel programs that use static ICMP fields when

they communicate.

Payload Options

The longer a payload option is, the more exact the match, the faster

the signature processing. Therefore, if possible, it is recommended to

have at least one payload option in your signature.