Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: More WMF Signatures SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
More WMF Signatures
Frank Knobbe from sent us some new and improved rules for the WMF exploit. As you can tell by the various itterations we went through, a lot of work went into these rules.

First a couple notes about these rules:

In its simplest case, you may want to limit the rules to port 80 (or $HTTP_PORTS, which typically maps to ports used by web servers).  But realize, that this only works if you block access to other ports at your firewall. Otherwise, its trivial to just run a web server on an odd port, and link to the image on the odd port.

Here the rule developed by the Bleedingsnort team:
(to avoid copy/paste issues, see the bleedingsnort CVS repository


190 Posts
ISC Handler
Dec 30th 2005

Sign Up for Free or Log In to start participating in the conversation!