ZyXEL Communications ZyWALL 300 User Manual
Chapter 29 IDP
ZyWALL USG 300 User’s Guide
439
29.10.2 Custom Signature Example
Before creating a custom signature, you must first clearly understand the vulnerability.
29.10.2.1 Understand the Vulnerability
Check the ZyWALL logs when the attack occurs. Use web sites such as Google and security
focus to get as much information about the attack as you can. The more specific your
signature, the less chance it will cause false positives.
focus to get as much information about the attack as you can. The more specific your
signature, the less chance it will cause false positives.
As an example, say you want to create a signature for the ‘Microsoft Windows Plug-and-Play
Service Remote Overflow (MS-05-39)’ attack. Search the Security Focus web site and you
will find it uses the NetBIOS service in established TCP connections to a server using port
445.
Service Remote Overflow (MS-05-39)’ attack. Search the Security Focus web site and you
will find it uses the NetBIOS service in established TCP connections to a server using port
445.
Payload Size
This field may be used to check for abnormally sized packets or for detecting
buffer overflows
buffer overflows
.
Select the check box, then select Equal, Smaller or Greater and then type the
payload size.
Stream rebuilt packets are not checked regardless of the size of the payload.
payload size.
Stream rebuilt packets are not checked regardless of the size of the payload.
Offset
This field specifies where to start searching for a pattern within a packet. For
example, an offset of 5 would start looking for the specified pattern after the first
five bytes of the payload.
example, an offset of 5 would start looking for the specified pattern after the first
five bytes of the payload.
Content
Type the content that the signature should search for in the packet payload.
Hexadecimal code entered between pipes is converted to ASCII. For example,
you could represent the ampersand as either & or |26| (26 is the hexadecimal
code for the ampersand).
Hexadecimal code entered between pipes is converted to ASCII. For example,
you could represent the ampersand as either & or |26| (26 is the hexadecimal
code for the ampersand).
Case-
insensitive
insensitive
Select this check box if content casing does NOT matter.
Decode as URI A Uniform Resource Identifier (URI) is a string of characters for identifying an
abstract or physical resource (RFC 2396). A resource can be anything that has
identity, for example, an electronic document, an image, a service (“today's
weather report for Taiwan”), a collection of other resources. An identifier is an
object that can act as a reference to something that has identity. Example URIs
are:
ftp://ftp.is.co.za/rfc/rfc1808.txt; ftp scheme for File Transfer Protocol services
http://www.math.uio.no/faq/compression-faq/part1.html; http scheme for
Hypertext Transfer Protocol services
mailto:mduerst@ifi.unizh.ch; mailto scheme for electronic mail addresses
telnet://melvyl.ucop.edu/; telnet scheme for interactive services via the TELNET
Protocol
Select this check box for the signature to search for normalized URI fields. This
means that if you are writing signatures that includes normalized content, such as
%2 for directory traversals, these signatures will not be triggered because the
content is normalized out of the URI buffer.
For example, the URI:
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+ver
will get normalized into:
/winnt/system32/cmd.exe?/c+ver
identity, for example, an electronic document, an image, a service (“today's
weather report for Taiwan”), a collection of other resources. An identifier is an
object that can act as a reference to something that has identity. Example URIs
are:
ftp://ftp.is.co.za/rfc/rfc1808.txt; ftp scheme for File Transfer Protocol services
http://www.math.uio.no/faq/compression-faq/part1.html; http scheme for
Hypertext Transfer Protocol services
mailto:mduerst@ifi.unizh.ch; mailto scheme for electronic mail addresses
telnet://melvyl.ucop.edu/; telnet scheme for interactive services via the TELNET
Protocol
Select this check box for the signature to search for normalized URI fields. This
means that if you are writing signatures that includes normalized content, such as
%2 for directory traversals, these signatures will not be triggered because the
content is normalized out of the URI buffer.
For example, the URI:
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+ver
will get normalized into:
/winnt/system32/cmd.exe?/c+ver
OK
Click this button to save your changes to the ZyWALL and return to the summary
screen.
screen.
Cancel
Click this button to return to the summary screen without saving any changes.
Table 137 Anti-X > IDP > Custom Signatures > Add/Edit (continued)
LABEL
DESCRIPTION