|
| Chapter 29 IDP |
| Table 137 | |
| LABEL | DESCRIPTION |
| Payload Size | This field may be used to check for abnormally sized packets or for detecting |
|
| buffer overflows. |
|
| Select the check box, then select Equal, Smaller or Greater and then type the |
|
| payload size. |
|
| Stream rebuilt packets are not checked regardless of the size of the payload. |
|
|
|
| Offset | This field specifies where to start searching for a pattern within a packet. For |
|
| example, an offset of 5 would start looking for the specified pattern after the first |
|
| five bytes of the payload. |
|
|
|
| Content | Type the content that the signature should search for in the packet payload. |
|
| Hexadecimal code entered between pipes is converted to ASCII. For example, |
|
| you could represent the ampersand as either & or 26 (26 is the hexadecimal |
|
| code for the ampersand). |
|
|
|
| Case- | Select this check box if content casing does NOT matter. |
| insensitive |
|
|
|
|
| Decode as URI | A Uniform Resource Identifier (URI) is a string of characters for identifying an |
|
| abstract or physical resource (RFC 2396). A resource can be anything that has |
|
| identity, for example, an electronic document, an image, a service (“today's |
|
| weather report for Taiwan”), a collection of other resources. An identifier is an |
|
| object that can act as a reference to something that has identity. Example URIs |
|
| are: |
|
| ftp://ftp.is.co.za/rfc/rfc1808.txt; ftp scheme for File Transfer Protocol services |
|
| |
|
| Hypertext Transfer Protocol services |
|
| mailto:mduerst@ifi.unizh.ch; mailto scheme for electronic mail addresses |
|
| telnet://melvyl.ucop.edu/; telnet scheme for interactive services via the TELNET |
|
| Protocol |
|
| Select this check box for the signature to search for normalized URI fields. This |
|
| means that if you are writing signatures that includes normalized content, such as |
|
| %2 for directory traversals, these signatures will not be triggered because the |
|
| content is normalized out of the URI buffer. |
|
| For example, the URI: |
|
| /scripts/..%c0%af../winnt/system32/cmd.exe?/c+ver |
|
| will get normalized into: |
|
| /winnt/system32/cmd.exe?/c+ver |
|
|
|
| OK | Click this button to save your changes to the ZyWALL and return to the summary |
|
| screen. |
|
|
|
| Cancel | Click this button to return to the summary screen without saving any changes. |
|
|
|
Before creating a custom signature, you must first clearly understand the vulnerability.
29.10.2.1 Understand the Vulnerability
Check the ZyWALL logs when the attack occurs. Use web sites such as Google and security focus to get as much information about the attack as you can. The more specific your signature, the less chance it will cause false positives.
As an example, say you want to create a signature for the ‘Microsoft Windows
| 439 |
ZyWALL USG 1000 User’s Guide | |
|
|