Chapter 34 IDP

Table 159 Configuration > Anti-X > IDP > Custom Signatures > Add/Edit (continued)

LABEL

DESCRIPTION

Flow

If selected, the signature only applies to certain directions of the

 

traffic flow and only to clients or servers. Select Flow and then select

 

the identifying options.

 

Established: The signature only checks for established TCP

 

connections

 

Stateless: The signature is triggered regardless of the state of the

 

stream processor (this is useful for packets that are designed to

 

cause devices to crash)

 

To Client: The signature only checks for server responses from A to

 

B.

 

To Server: The signature only checks for client requests from B to A.

 

From Client:.The signature only checks for client requests from B to

 

A.

 

From Servers: The signature only checks for server responses from

 

A to B.

 

No Stream: The signature does not check rebuilt stream packets.

 

Only Stream: The signature only checks rebuilt stream packets.

 

 

Flags

Select what TCP flag bits the signature should check.

 

 

Sequence

Use this field to check for a specific TCP sequence number.

Number

 

 

 

Ack Number

Use this field to check for a specific TCP acknowledgement number.

 

 

Window Size

Use this field to check for a specific TCP window size.

 

 

Transport

 

Protocol: UDP

 

 

 

Port

Select the check box and then enter the source and destination UDP

 

port numbers that will trigger this signature.

 

 

Transport

 

Protocol: ICMP

 

 

 

Type

Use this field to check for a specific ICMP type value.

 

 

Code

Use this field to check for a specific ICMP code value.

 

 

ID

Use this field to check for a specific ICMP ID value. This is useful for

 

covert channel programs that use static ICMP fields when they

 

communicate.

 

 

Sequence

Use this field to check for a specific ICMP sequence number. This is

Number

useful for covert channel programs that use static ICMP fields when

 

they communicate.

 

 

Payload Options

The longer a payload option is, the more exact the match, the faster

 

the signature processing. Therefore, if possible, it is recommended to

 

have at least one payload option in your signature.

 

 

588

 

ZyWALL USG 2000 User’s Guide