ZyWALL 5/35/70 Series User’s Guide

 

 

 

Table 77 Attack Types (continued)

 

 

 

 

 

 

 

 

 

 

TYPE

 

DESCRIPTION

 

 

 

 

 

 

 

 

 

 

Virus/Worm

 

A computer virus is a small program designed to corrupt and/or alter the operation

 

 

 

 

 

of other legitimate programs. A worm is a program that is designed to copy itself

 

 

 

 

 

from one computer to another on a network. A worm’s uncontrolled replication

 

 

 

 

 

consumes system resources thus slowing or stopping other tasks.

 

 

 

 

 

The IDP VirusWorm category refers to network-based viruses and worms. The

 

 

 

 

 

Anti-Virus (AV) screen refers to file-based viruses and worms. Refer to the anti-

 

 

 

 

 

virus chapter for additional information on file-based anti-virus scanning in the

 

 

 

 

 

ZyWALL.

 

 

 

Porn

 

The ZyWALL can block web sites if their URLs contain certain pornographic words.

 

 

 

 

 

It cannot block web pages containing those words if the associated URL does not.

 

 

 

Web Attack

 

Web attack signatures refer to attacks on web servers such as IIS (Internet

 

 

 

 

 

Information Services).

 

 

 

SPAM

 

Spam is unsolicited "junk" e-mail sent to large numbers of people to promote

 

 

 

 

 

products or services. Refer to the anti-spam chapter for more detailed information.

 

 

 

Other

 

This category refers to signatures for attacks that do not fall into the previously

 

 

 

 

 

mentioned categories.

13.3.2

Intrusion Severity

 

 

 

Intrusions are assigned a severity level based on the following table. The intrusion severity

 

 

 

level then determines the default signature action.

 

 

 

Table 78 Intrusion Severity

 

 

 

 

 

 

 

 

 

SEVERITY

DESCRIPTION

 

 

 

 

 

 

 

 

 

 

Severe

These are intrusions that try to run arbitrary code or gain system privileges.

 

 

 

 

 

 

 

 

 

 

High

These are known serious vulnerabilities or intrusions that are probably not false

 

 

 

 

 

alarms.

 

 

 

 

Medium

These are medium threats, access control intrusions or intrusions that could be false

 

 

 

 

 

alarms.

 

 

 

 

Low

These are mild threats or intrusions that could be false alarms.

 

 

 

 

 

 

 

 

 

 

Very Low

These are possible intrusions caused by traffic such as Ping, trace route, ICMP

 

 

 

 

 

queries etc.

 

13.3.3

Signature Actions

 

 

 

You can enable/disable individual signatures. You can log and/or have an alert sent when

traffic meets a signature criteria. You can also change the default action to be taken when a packet or stream matches a signature. The following figure and table describes these actions. Note that in addition to these actions, a log may be generated or an alert sent, if those check boxes are selected and the signature is enabled.

Chapter 13 Configuring IDP

244