3 applying custom signatures, 4 verifying custom signatures – ZyXEL Communications 200 Series User Manual

Chapter 29 IDP

ZyWALL USG 100/200 Series User’s Guide

508

29.8.3 Applying Custom Signatures

After you create your custom signature, it becomes available in the IDP service group category
in the IDP > Profile > Packet Inspection screen. Custom signatures have an SID from
9000000 to 9999999.

You can activate the signature, configure what action to take when a packet matches it and if it
should generate a log or alert in a profile. Then bind the profile to a zone.

Figure 394 Example: Custom Signature in IDP Profile

29.8.4 Verifying Custom Signatures

You should configure the signature to create a log when an ‘attack packet’ matches the
signature. (You may also want to configure an alert if the attack is more serious and needs
more immediate attention.) After you apply the signature to a zone, you can see if it works by
checking the logs (Maintenance > Logs > View Log).

All IDP signatures come under the IDP category. The Priority column shows warn for
signatures that are configured to generate a log only. It shows critical for signatures that are
configured to generate a log and alert. count is the number of attacks that occurred at that
time. The Note column displays ACCESS FORWARD when no action is configured for the
signature. It displays ACCESS DENIED if you configure the signature action to drop the
packet. The destination port is the service port (NetBIOS in this case) that the attack tries to
exploit.