Custom Signature Example - ZyXEL Communications ZyWall USG 2000 User Manual

Chapter 31 IDP

31.8.2 Custom Signature Example

Before creating a custom signature, you must first clearly understand the
vulnerability.
31.8.2.1 Understand the Vulnerability
Check the ZyWALL logs when the attack occurs. Use web sites such as Google or
Security Focus to get as much information about the attack as you can. The more
specific your signature, the less chance it will cause false positives.
As an example, say you want to create a signature for the 'Microsoft Windows
Plug-and-Play Service Remote Overflow (MS-05-39)' attack. Search the Security
Focus web site and you will find it uses the NetBIOS service in established TCP
connections to a server using port 445.
31.8.2.2 Analyze Packets
Then use a packet sniffer such as TCPdump or Ethereal to investigate some more.
From the NetBIOS header you see that the first byte '00' defines the message
type. The next three bytes represent the length of data, so you can ignore it.
Therefore enter |00| as the first pattern.
Figure 360 Custom Signature Example Pattern 1
514
ZyWALL USG 2000 User's Guide