Chapter 29 IDP
Table 137
LABEL | DESCRIPTION |
IP Options | IP options is a |
| Security Option, IP Stream Identifier, (security and handling restrictions for the |
| military), Record Route (have each router record its IP address), Loose Source |
| Routing (specifies a list of IP addresses that must be traversed by the datagram), |
| Strict Source Routing (specifies a list of IP addresses that must ONLY be |
| traversed by the datagram), Timestamp (have each router record its IP address |
| and time), End of IP List and No IP Options. IP Options can help identify some |
| intrusions. Select the check box, then select an item from the list box that the |
| intrusion uses |
|
|
Same IP | Select the check box for the signature to check for packets that have the same |
| source and destination IP addresses. |
|
|
Transport Protocol | The following fields vary depending on whether you choose TCP, UDP or ICMP. |
|
|
Transport |
|
Protocol: TCP |
|
|
|
Port | Select the check box and then enter the source and destination TCP port |
| numbers that will trigger this signature. |
|
|
Flow | If selected, the signature only applies to certain directions of the traffic flow and |
| only to clients or servers. Select Flow and then select the identifying options. |
| Established: The signature only checks for established TCP connections |
| Stateless: The signature is triggered regardless of the state of the stream |
| processor (this is useful for packets that are designed to cause devices to crash) |
| To Client: The signature only checks for server responses from A to B. |
| To Server: The signature only checks for client requests from B to A. |
| From Client:.The signature only checks for client requests from B to A. |
| From Servers: The signature only checks for server responses from A to B. |
| No Stream: The signature does not check rebuilt stream packets. |
| Only Stream: The signature only checks rebuilt stream packets. |
|
|
Flags | Select what TCP flag bits the signature should check. |
|
|
Sequence | Use this field to check for a specific TCP sequence number. |
Number |
|
|
|
Ack Number | Use this field to check for a specific TCP acknowledgement number. |
|
|
Window Size | Use this field to check for a specific TCP window size. |
|
|
Transport |
|
Protocol: UDP |
|
|
|
Port | Select the check box and then enter the source and destination UDP port |
| numbers that will trigger this signature. |
|
|
Transport |
|
Protocol: ICMP |
|
|
|
Type | Use this field to check for a specific ICMP type value. |
|
|
Code | Use this field to check for a specific ICMP code value. |
|
|
ID | Use this field to check for a specific ICMP ID value. This is useful for covert |
| channel programs that use static ICMP fields when they communicate. |
|
|
Sequence | Use this field to check for a specific ICMP sequence number. This is useful for |
Number | covert channel programs that use static ICMP fields when they communicate. |
|
|
Payload Options | The longer a payload option is, the more exact the match, the faster the signature |
| processing. Therefore, if possible, it is recommended to have at least one payload |
| option in your signature. |
|
|
438 |
| |
ZyWALL USG 1000 User’s Guide |
| |
|
|
|