Protect yourself from the WMF exploit using the Sunbelt Kerio Firewall

How?

Look here (http://sunbeltblog.blogspot.com/2005/12/protect-yourself-from-wmf-exploit.html)

Never knew Kerio had Snort implemented...I'm installing it right now :)

-{ Quote: "Never knew Kerio had Snort implemented" }-
Neither did i;)

I have read it tonight and thought, it is a nice solution for the Kerio user:)

Please can someone explain how to do this. I read that link and to be honest it may as well have been in chinese. It says to add the rules, but where? and it says they can be added to the bad-traffic.rlk file but how do i access that file to edit it? I think that page presumes you have done this sort of thing before and doesn't actually explain how it is done. Any volunteers want to enlighten me?

muf

The rlk files are in the program files, Kerio folder, under config, IDS rules. Open the bad-traffic.rlk entry with notepad, copy and paste the new entries.

Thank you Ronjor for the Chinese translation. ;)

It was that easy was it? Why could it simply have not said that. Anyway, again thanks. :)

muf

Ok, now Ronjor explained how to implentate the snort rules, save me valuable time to do it by myself;) , here the most recent snort rule:

(BTW: i copied and pasted it from a thread i placed on another forums)


Revision: 1.6, Sat Dec 31 13:15:47 2005 EST

Changes since 1.5: +2 -2 lines

SIDs 2002733 2002741: Removed depth/within limit for header search to allow for large encapsulating 'pre-headers'.

Snort rules v1.6:

----------start----------

#by mmlange
alert tcp any any -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT WMF Exploit"; flow:established; content:"|01 00 09 00 00 03 52 1f 00 00 06 00 3d 00 00 00|"; content:"|00 26 06 0f 00 08 00 ff ff ff ff 01 00 00 00 03 00 00 00 00 00|"; reference: url,www.frsirt.com/exploits/20051228.ie_xp_pfv_metafile.pm.php; (http://www.frsirt.com/exploits/20051228.ie_xp_pfv_metafile.pm.php;) classtype:attempted-user; sid:2002734; rev:1; )

# By Frank Knobbe, 2005-12-28. Additional work with Blake Harstein and Brandon Franklin.
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT WMF Escape Record Exploit"; flow:established,from_server; content:"|00 09 00 00 03|"; content:"|00 00|"; distance:10; within:12; pcre:"/\x26[\x00-\xff]\x09\x00/"; classtype:attempted-user; reference:url,www.frsirt.com/english/advisories/2005/3086; (http://www.frsirt.com/english/advisories/2005/3086;) sid:2002733; rev:4; )

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT WMF Escape Record Exploit - Web Only"; flow:established,from_server; content:"HTTP"; depth:4; nocase; content:"|00 09 00 00 03|"; content:"|00 00|"; distance:10; within:12; pcre:"/\x26[\x00-\xff]\x09\x00/"; classtype:attempted-user; reference:url,www.frsirt.com/english/advisories/2005/3086; (http://www.frsirt.com/english/advisories/2005/3086;) sid:2002741; rev:3; )

----------end----------

Copy and past all rules between "start" and "end" in the Kerio bad-traffic.rlk file.

Don't forget to remove the previous snort rules for the WMF Exploit.


Just a reminder: only if you are using updated Snort rules for the WMF Exploit, you stay safe.

Updates available at the source: http://www.bleedingsnort.com/cgi-bin/viewc...y_with_tag=HEAD (http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/sigs/CURRENT_EVENTS/CURRENT_WMF_Exploit?only_with_tag=HEAD)

-{ Quote: "Thank you Ronjor for the Chinese translation. ;)

It was that easy was it? Why could it simply have not said that. Anyway, again thanks." }-

Hi Muf,

i thought an expert like you didn't need any explanation:)

Before starting with to copy the snort rules in the .rlk file, exit Kerio Firewall.

When you have copied the snort rules in the bad-traffic.rlk file, restart Kerio, in the Kerio network intrusion prevention system (NIPS) > advanced > high risk > details you should see this:

http://www.myfilestash.com/userfiles/Golddigger/Naamloos106.jpg

-{ Quote: "Hi Muf,

i thought an expert like you didn't need any explanation:)" }-

Expert? Your having a laugh, surely. I know my way around the apps that i use. I've got a bit of knowledge but won't pretend to extend beyond my limits, which are not that high to be honest. But i'm a new user to Kerio, only been using it for a week so not got around to configuring rules and such yet. Yeah, i can assure you that i'm no expert, and won't pretend otherwise.

muf

Well said and good for you - your not the only one who needs help with this, I opened up word to deal with this and have just moved back to Kerio after the buy out by sun aliance but also because someone on the Mcafee forum said they read that the Mcafee firewall can be disabled by a head on attack to which until yesterday I used, does - anyone else know about the Mcafee issue and if so any advise on this software and by the way happy new year.

:)

-{ Quote: "Expert? Your having a laugh, surely" }-

Calm down, Muf.:)

When you know me just a little bit, you should know i was just making jokes;)

I know - sorry, had a bit to much of the old falling down water - but would like to know if the Mcafe claim has anything behind it.

Thanks:-\

-{ Quote: "I know - sorry, had a bit to much of the old falling down water - but would like to know if the Mcafe claim has anything behind it.
" }-
I haven't hear anything about the McAfee issue, have neither the time to check it for you.

Are at the moment very, very busy with testing snort rules for the Sunbelt Kerio Firewall, and maintain at the same times some forums about the WMF Exploit issue.

To get a good functionating snort rule is the most important issue to me.

That's OK you need to do what you have to do and thats good for everyone but if you do hear anything can you please keep users in the know?, but in the time being I think I will use kerio myself.

Thanks:thumb:

-{ Quote: "That's OK you need to do what you have to do and thats good for everyone but if you do hear anything can you please keep users in the know?, but in the time being I think I will use kerio myself.
" }-
Tested last night and this morning different rules, too me a one specific snort rule is functionating 100% but have to wait on results of others.

hi guys, good news, or so it seems to me.

http://www.grc.com/sn/notes-020.htm

Cheers

Smokey

Did you opt for the two seperate rules? ALL PORTS and WEB?

;) -{ Quote: "Did you opt for the two seperate rules? ALL PORTS and WEB?" }-
I am almost ready with bad-traffic.rlk

Will upload it here in this thread 'cause the discussion is going on here all the time, complete instructions "how to" will be included.

Have choose for the opt "All Ports", nice pro: system stay stable.

Is the most secure solution, the web option is from a security-view not safe enough:)

BTW: suggestions are always welcome!

Thank you Smokey

I may have gotten confused again. The below statement might be for snort itself and not Kerio? Taken from here:

http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/sigs/CURRENT_EVENTS/CURRENT_WMF_Exploit?view=markup

I thought at first this was setup in Kerio Network Security, Packet Filter.



Split WMF rule into two rules to cover larger exploit padding.

Choose either All Ports or Web Only version. flow_depth (of http_inspect_server) has to be set to 0.
# Recommend second Snort instance with that config.

-{ Quote: "Thank you Smokey

I may have gotten confused again. The below statement might be for snort itself and not Kerio? Taken from here:

http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/sigs/CURRENT_EVENTS/CURRENT_WMF_Exploit?view=markup

I thought at first this was setup in Kerio Network Security, Packet Filter.

Split WMF rule into two rules to cover larger exploit padding.

Choose either All Ports or Web Only version. flow_depth (of http_inspect_server) has to be set to 0.
# Recommend second Snort instance with that config." }-

It IS indeed very confusing.

I have leave it for what it is, no negative effects 'till yet.

The modified snort rule is running fine on my machine.

One rule for the Current WMF Exploit.
Splitted in 2 rules is the EXPLOIT WMF Escape Record Exploit (all ports).

In total this 3 rules will be added to the bad-traffic.rlk file.

Sorry, i have removed the post/downloadlinks to the Sunbelt Snort Rules.

Unexpected problems.

Further evaluation necessary.

Will be continued.....

Smokey

You added the rulles from the Kerio site then and not the ones from the Snort site?

SHould we remove them now?

-{ Quote: "Smokey

You added the rulles from the Kerio site then and not the ones from the Snort site?

Should we remove them now?" }-
Remove NOTHING!!!

The WMF Exploit Snort Rules are added to the standard rules.
The Bleeding-Edge Snort Rules are only intended to protect you against the Exploit.

The first 3 rules are the Snort Rules 1.7 in a modified way, because the original Snort Rules can cause connection problems.

All other rules that follow belong to the Network Intrusion Prevention System (NIPS) too!

Follow-up Sunbelt Kerio Personal Firewall Snort Rules here (http://www.wilderssecurity.com/showthread.php?p=645536#post645536)