ZyXEL Communications ZyWALL 300 User Manual
Chapter 29 IDP
ZyWALL USG 300 User’s Guide
443
Figure 337 Custom Signature Log
29.10.5 Snort Signatures
You may want to refer to open source Snort signatures when creating custom ZyWALL ones.
Most Snort rules are written in a single line. Snort rules are divided into two logical sections,
the rule header and the rule options as shown in the following example:
Most Snort rules are written in a single line. Snort rules are divided into two logical sections,
the rule header and the rule options as shown in the following example:
alert tcp any any -> 192.168.1.0/24 111 (content:”|00 01 a5|”;
msg:”mountd access”;)
The text up to the first parenthesis is the rule header and the section enclosed in parenthesis
contains the rule options. The words before the colons in the rule options section are the option
keywords.
contains the rule options. The words before the colons in the rule options section are the option
keywords.
The rule header contains the rule's:
• Action
• Protocol
• Source and destination IP addresses and netmasks
• Source and destination ports information.
The rule option section contains alert messages and information on which parts of the packet
should be inspected to determine if the rule action should be taken.
should be inspected to determine if the rule action should be taken.
These are some equivalent Snort terms in the ZyWALL.
Table 138 ZyWALL - Snort Equivalent Terms
ZYWALL TERM
SNORT EQUIVALENT TERM
Type Of Service
tos
Identification
id
Fragmentation
fragbits
Fragmentation Offset
fragoffset
Time to Live
ttl
IP Options
ipopts
Same IP
sameip
Transport Protocol
Transport Protocol: TCP
Port
(In Snort rule header)