More WMF Signatures

Published: 2005-12-30
Last Updated: 2005-12-30 20:32:47 UTC
by Scott Fendley (Version: 2)
0 comment(s)
Frank Knobbe from sent us some new and improved rules for the WMF exploit. As you can tell by the various itterations we went through, a lot of work went into these rules.

First a couple notes about these rules:

In its simplest case, you may want to limit the rules to port 80 (or $HTTP_PORTS, which typically maps to ports used by web servers).  But realize, that this only works if you block access to other ports at your firewall. Otherwise, its trivial to just run a web server on an odd port, and link to the image on the odd port.

Here the rule developed by the Bleedingsnort team:
(to avoid copy/paste issues, see the bleedingsnort CVS repository

Update: (20:15 UTC) The folks at have updated this sig to rev:2.  We had some problems with the pcre in the earlier version of this story, so we've removed it from the story, see the link above to get the actual sig.  Also, it is very important to note that this sig will not detect the exploit on any http ports for which the http_inspect preprocessor is enabled with default settings.  The http_inspect preprocessor defaults to a flow_depth of 300.  Increasing flow_depth (or setting flow_depth to 0 which turns off truncation of the tcp stream by the preprocessor) is potentially a serious performance issue for the sensor on a busy network.
0 comment(s)


Diary Archives