Threat Level: green Handler on Duty: Russ McRee

SANS ISC: More WMF Signatures - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
More WMF Signatures
Frank Knobbe from bleedingsnort.com sent us some new and improved rules for the WMF exploit. As you can tell by the various itterations we went through, a lot of work went into these rules.

First a couple notes about these rules:

In its simplest case, you may want to limit the rules to port 80 (or $HTTP_PORTS, which typically maps to ports used by web servers).  But realize, that this only works if you block access to other ports at your firewall. Otherwise, its trivial to just run a web server on an odd port, and link to the image on the odd port.

Here the rule developed by the Bleedingsnort team:
(to avoid copy/paste issues, see the bleedingsnort CVS repository
)

ScottF

188 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!