Chapter 29 IDP
The following table describes the fields in this screen.
Table 137
LABEL | DESCRIPTION |
Name | Type the name of your custom signature. You may use |
| characters, underscores(_), or dashes |
| number. This value is |
| Duplicate names can exist but it is advisable to use unique signature names that |
| give some hint as to intent of the signature and the type of attack it is supposed to |
| prevent. Refer to (but do not copy) the packet inspection signature names for |
| hints on creating a naming convention. |
|
|
Signature ID | A signature ID is automatically created when you click the Add icon to create a |
| new signature. You can edit the ID to create a new one (in the 9000000 to |
| 9999999 range), but you cannot use one that already exists. You may want to do |
| that if you want to order custom signatures by SID. |
|
|
Information | Use the following fields to set general information about the signature as denoted |
| below. |
|
|
Severity | The severity level denotes how serious the intrusion is. Categorize the |
| seriousness of the intrusion here. See Table 131 on page 426 as a reference. |
|
|
Platform | Some intrusions target specific operating systems only. Select the operating |
| systems that the intrusion targets, that is, the operating systems you want to |
| protect from this intrusion. SGI refers to Silicon Graphics Incorporated, who |
| manufactures |
| (SGI's version of UNIX). A router is an example of a network device. |
|
|
Service | Select the IDP service group that the intrusion exploits or targets. See Table 133 |
| on page 428 for a list of IDP service groups. The custom signature then appears |
| in that group in the IDP > Profile > Group View screen. |
|
|
Policy Type | Categorize the type of intrusion here. See Table 132 on page 427 as a reference. |
|
|
Frequency | Recurring packets of the same type may indicate an attack. Use the following field |
| to indicate how many packets per how many seconds constitute an intrusion |
|
|
Threshold | Select Threshold and then type how many packets (that meet the criteria in this |
| signature) per how many seconds constitute an intrusion. |
|
|
Header Options |
|
|
|
Network Protocol | Configure signatures for IP version 4. |
|
|
Type Of | Type of service in an IP header is used to specify levels of speed and/or reliability. |
Service | Some intrusions use an invalid Type Of Service number. Select the check box, |
| then select Equal or |
|
|
Identification | The identification field in a datagram uniquely identifies the datagram. If a |
| datagram is fragmented, it contains a value that identifies the datagram to which |
| the fragment belongs. Some intrusions use an invalid Identification number. |
| Select the check box and then type in the invalid number that the intrusion uses. |
|
|
Fragmentation | A fragmentation flag identifies whether the IP datagram should be fragmented, |
| not fragmented or is a reserved bit. Some intrusions can be identified by this flag. |
| Select the check box and then select the flag that the intrusion uses. |
|
|
Fragmentation | When an IP datagram is fragmented, it is reassembled at the final destination. |
Offset | The fragmentation offset identifies where the fragment belongs in a set of |
| fragments. Some intrusions use an invalid Fragmentation Offset number. Select |
| the check box, select Equal, Smaller or Greater and then type in a number |
|
|
Time to Live | Time to Live is a counter that decrements every time it passes through a router. |
| When it reaches zero, the datagram is discarded. Usually it’s used to set an upper |
| limit on the number of routers a datagram can pass through. Some intrusions can |
| be identified by the number in this field. Select the check box, select Equal, |
| Smaller or Greater and then type in a number. |
| 437 |
ZyWALL USG 1000 User’s Guide | |
|
|