Figure 390 custom signature example pattern 1, Figure 391 custom signature example pattern 2 – ZyXEL Communications 200 Series User Manual

Chapter 29 IDP

ZyWALL USG 100/200 Series User’s Guide

506

29.8.2.2 Analyze Packets

Then use a packet sniffer such as TCPdump or Ethereal to investigate some more.

From the NetBIOS header you see that the first byte ‘00’ defines the message type. The next
three bytes represent the length of data, so you can ignore it. Therefore enter |00| as the first
pattern.

Figure 390 Custom Signature Example Pattern 1

Next, check the content of the SMB header. Add |FF|SMB% and ‘TransactionNmPipe’ to the
signature as the next patterns.

Figure 391 Custom Signature Example Pattern 2

Figure 392 Custom Signature Example Patterns 3 and 4

The final custom signature should look like as shown in the following figure.

If the attack occurs, check the logs for a log of your custom signature. This indicates the
signature works correctly.