CastleCops® Use Sunbelt Kerio to protect against the WMF exploits

Need help? Click here to register for free! Absolutely zero advertisements on this site!

	Donation/Premium

	Donations. Become Premium Today!

	Security Central

	· Home · PIRT/Fried Phish · MIRT · SIRT · Deutsch · Wiki · Newsletter · O16/ActiveX · CLSID List · Contest2007 · Downloads · Feedback (send) · Forums · HijackThis · Hijacktrend · LSPs · My Downloads · O18 · O20 · O21 · O22 · O23 · O9 · Premium · Private Messages · Proxomitron · Reviews · Search · StartupList · Stories Archive · Submit News · WsIRT · Your Account · Acceptable Use Policy

Forum FAQ

Usergroups

Profile

Select FavForums

Use Sunbelt Kerio to protect against the WMF exploits
Goto page 1, 2, 3, 4, 5, 6 Next

All -> FavForums -> Sunbelt KerioPF

[del.icio.us!] [digg it!] [reddit!]

View previous topic :: View next topic

Author

Message

Paul

CastleCops Founder

Joined: Feb 22, 2002
Posts: 27351

Posted: Fri Dec 30, 2005 4:13 am Post subject: Use Sunbelt Kerio to protect against the WMF exploits

Straight from Sunbelt's blog, ericsites posts:

http://sunbeltblog.blogspot.com/2005/12/protect-yourself-from-wmf-exploit.html

Quote:

Our friends over at Bleeding-Edge Snort http://www.bleedingsnort.com/ have posted a snort rule to block all infected Windows Metafiles (WMF). We have tested this with our Kerio Firewall product and it does indeed work and block all of this nasty stuff.

The following Bleeding-Edge Snort rules, when implemented into Sunbelt Kerio Personal Firewall, have been successful in blocking different variations of the WMF (Windows Metafile) exploit:

alert ip any any -> any any (msg: "COMPANY-LOCAL WMF Exploit"; content:"01 00 09 00 00 03 52 1f 00 00 06 00 3d 00 00 00"; content:"00 26 06 0f 00 08 00 ff ff ff ff 01 00 00 00 03 00 00 00 00 00"; reference: url,www.frsirt.com/exploits/20051228.ie_xp_pfv_metafile.pm.php; sid:2005122802; classtype:attempted-user; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT WMF Escape Record Exploit"; flow:established,from_server; content:"01 00 09 00 00 03"; depth:500; content:"00 00"; distance:10; within:12; content:"26 06 09 00"; within:5000; classtype:attempted-user; reference:url,www.frsirt.com/english/advisories/2005/3086; sid:2002733; rev:1;)

You can add these two rules into the �bad-traffic.rlk� file located at: C:\Program Files\Sunbelt Software\Personal Firewall 4\Config\IDSRules
NIPS (Network Intrusion Prevention System) must be enabled.

And you must restart the Sunbelt Kerio Firewall Service or reboot for these rules to take affect.

These rules work in the Free or Full version of Sunbelt Kerio Firewall.

Thanks Eric!

_________________
Paul Laudanski - http://www.laudanski.com
http://www.linkedin.com/pub/1/49a/17b

KDNeese

Corporal

Joined: Dec 16, 2005
Posts: 56
Location: USA

Posted: Fri Dec 30, 2005 4:50 am Post subject: How do you Inegrate it into Kero?

This procedure may make sense to the more technically astute, but this information is fairly useless without explaining how to integrate it into Kerio. The post says: "You can add these two rules into the “bad-traffic.rlk” file located at: C:\Program Files\Sunbelt Software\Personal Firewall 4\Config\IDSRules" I went into Windows Explorer and found the file, but how do you open it or enter any of the info into it? When I tried to open the file, all I received was a message saying, "Windows cannot open this file." So what is the procedure for making this work with the firewall? The info isn't much good without the knowledge of how to implement it.

Paul

CastleCops Founder

Joined: Feb 22, 2002
Posts: 27351

Posted: Fri Dec 30, 2005 5:06 am Post subject:

Good question, the answer is to exit the firewall and open the file using wordpad. Then start up the firewall again. Otherwise there is a lock on it. _________________ Paul Laudanski - http://www.laudanski.com http://www.linkedin.com/pub/1/49a/17b

Graham1

Captain
Captain

Joined: Dec 21, 2005
Posts: 340

Posted: Fri Dec 30, 2005 1:16 pm Post subject:

Thanks for the link Paul . Could a modified "bad-traffic.rlk" be uploaded here for others to download?

Paul

CastleCops Founder

Joined: Feb 22, 2002
Posts: 27351

Posted: Fri Dec 30, 2005 3:17 pm Post subject:

Hi'ya, you mean a vanilla bad-traffic.rlk file modified with the above? _________________ Paul Laudanski - http://www.laudanski.com http://www.linkedin.com/pub/1/49a/17b

Graham1

Captain
Captain

Joined: Dec 21, 2005
Posts: 340

Posted: Fri Dec 30, 2005 6:50 pm Post subject:

Yes, if attachments are allowed . I think it would benefit other SKPF4 users who won't need (or don't know how) to open bad-traffic.rlk and then copy/paste these new intrusions.

Paul

CastleCops Founder

Joined: Feb 22, 2002
Posts: 27351

Posted: Fri Dec 30, 2005 7:29 pm Post subject:

Oh yes indeed attachments are permitted. Can you attach yours and I'll take a look? _________________ Paul Laudanski - http://www.laudanski.com http://www.linkedin.com/pub/1/49a/17b

Graham1

Captain
Captain

Joined: Dec 21, 2005
Posts: 340

Posted: Fri Dec 30, 2005 7:36 pm Post subject: Modified "bad-traffic.rlk"

Here you go. Edit: Had to add the "txt" extension as it wouldn't accept "rlk". Last edited by Graham1 on Fri Dec 30, 2005 8:25 pm, edited 1 time in total

Paul

CastleCops Founder

Joined: Feb 22, 2002
Posts: 27351

Posted: Fri Dec 30, 2005 8:11 pm Post subject:

Ok thanks. I added them into the file using Wordpad in the top two lines after the comment. Here it is compressed. Let me know how it goes. _________________ Paul Laudanski - http://www.laudanski.com http://www.linkedin.com/pub/1/49a/17b Last edited by Paul on Fri Dec 30, 2005 10:38 pm, edited 1 time in total

Paul

CastleCops Founder

Joined: Feb 22, 2002
Posts: 27351

Posted: Fri Dec 30, 2005 8:24 pm Post subject:

Here is the file as Graham1 attached with the rules in place.

Great stuff Graham1! Gold Cup

bad-traffic.zip

Description:

version 1.0... a newer version exists, this is obsolete

Download

Filename:

bad-traffic.zip

Filesize:

1.08 KB

Downloaded:

116 Time(s)

_________________
Paul Laudanski - http://www.laudanski.com
http://www.linkedin.com/pub/1/49a/17b

Last edited by Paul on Fri Dec 30, 2005 11:20 pm, edited 1 time in total

Paul

CastleCops Founder

Joined: Feb 22, 2002
Posts: 27351

Posted: Fri Dec 30, 2005 11:12 pm Post subject:

There has been an update to the rules, make sure to grab the newest one here. This one supercedes the above attachment.

http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/sigs/CURRENT_EVENTS/CURRENT_WMF_Exploit?rev=1.5&only_with_tag=HEAD&view=markup

UPDATE: The second commented out line is the rule for blocking web traffic. The line above that is the same but for all traffic. Its defaulted to block all traffic on matches.

bad-traffic.zip

Description:

version 1.1. a newer version exists, this one is obsolete, look further into the thread

Download

Filename:

bad-traffic.zip

Filesize:

1.05 KB

Downloaded:

116 Time(s)

_________________
Paul Laudanski - http://www.laudanski.com
http://www.linkedin.com/pub/1/49a/17b

Last edited by Paul on Sat Dec 31, 2005 9:33 pm, edited 1 time in total

Golddigger

Corporal

Joined: Nov 05, 2005
Posts: 62

Posted: Sat Dec 31, 2005 12:08 am Post subject:

Paul wrote:

UPDATE: The second commented out line is the rule for blocking web traffic. The line above that is the same but for all traffic. Its defaulted to block all traffic on matches.

Paul, thanks for the update!

I have put a link to this very usefull thread on several forums. Very Happy

Golddigger

_________________
Golddigger passed away - Born again as Smokey

Paul

CastleCops Founder

Joined: Feb 22, 2002
Posts: 27351

Posted: Sat Dec 31, 2005 12:48 am Post subject:

Roger wilco. Feel free to jump right in too. Happy new year. _________________ Paul Laudanski - http://www.laudanski.com http://www.linkedin.com/pub/1/49a/17b

Paul

CastleCops Founder

Joined: Feb 22, 2002
Posts: 27351