Protect yourself from the WMF exploit using the Sunbelt Kerio Firewall

Discussion in 'other firewalls' started by Smokey, Dec 29, 2005.

Thread Status:
Not open for further replies.
  1. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    Protect yourself from the WMF exploit using the Sunbelt Kerio Firewall

    How?

    Look here
     
  2. Kye-U

    Kye-U Security Expert

    Joined:
    Jun 11, 2004
    Posts:
    481
    Never knew Kerio had Snort implemented...I'm installing it right now :)
     
  3. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    Neither did i;)

    I have read it tonight and thought, it is a nice solution for the Kerio user:)
     
  4. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    Please can someone explain how to do this. I read that link and to be honest it may as well have been in chinese. It says to add the rules, but where? and it says they can be added to the bad-traffic.rlk file but how do i access that file to edit it? I think that page presumes you have done this sort of thing before and doesn't actually explain how it is done. Any volunteers want to enlighten me?

    muf
     
  5. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,770
    Location:
    Texas
    The rlk files are in the program files, Kerio folder, under config, IDS rules. Open the bad-traffic.rlk entry with notepad, copy and paste the new entries.
     
  6. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    Thank you Ronjor for the Chinese translation. ;)

    It was that easy was it? Why could it simply have not said that. Anyway, again thanks. :)

    muf
     
  7. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    Ok, now Ronjor explained how to implentate the snort rules, save me valuable time to do it by myself;) , here the most recent snort rule:

    (BTW: i copied and pasted it from a thread i placed on another forums)


    Revision: 1.6, Sat Dec 31 13:15:47 2005 EST

    Changes since 1.5: +2 -2 lines

    SIDs 2002733 2002741: Removed depth/within limit for header search to allow for large encapsulating 'pre-headers'.

    Snort rules v1.6:

    ----------start----------

    #by mmlange
    alert tcp any any -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT WMF Exploit"; flow:established; content:"|01 00 09 00 00 03 52 1f 00 00 06 00 3d 00 00 00|"; content:"|00 26 06 0f 00 08 00 ff ff ff ff 01 00 00 00 03 00 00 00 00 00|"; reference: url,www.frsirt.com/exploits/20051228.ie_xp_pfv_metafile.pm.php; classtype:attempted-user; sid:2002734; rev:1; )

    # By Frank Knobbe, 2005-12-28. Additional work with Blake Harstein and Brandon Franklin.
    #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT WMF Escape Record Exploit"; flow:established,from_server; content:"|00 09 00 00 03|"; content:"|00 00|"; distance:10; within:12; pcre:"/\x26[\x00-\xff]\x09\x00/"; classtype:attempted-user; reference:url,www.frsirt.com/english/advisories/2005/3086; sid:2002733; rev:4; )

    alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT WMF Escape Record Exploit - Web Only"; flow:established,from_server; content:"HTTP"; depth:4; nocase; content:"|00 09 00 00 03|"; content:"|00 00|"; distance:10; within:12; pcre:"/\x26[\x00-\xff]\x09\x00/"; classtype:attempted-user; reference:url,www.frsirt.com/english/advisories/2005/3086; sid:2002741; rev:3; )

    ----------end----------

    Copy and past all rules between "start" and "end" in the Kerio bad-traffic.rlk file.

    Don't forget to remove the previous snort rules for the WMF Exploit.


    Just a reminder: only if you are using updated Snort rules for the WMF Exploit, you stay safe.

    Updates available at the source: http://www.bleedingsnort.com/cgi-bin/viewc...y_with_tag=HEAD
     
  8. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    Hi Muf,

    i thought an expert like you didn't need any explanation:)
     
  9. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    Before starting with to copy the snort rules in the .rlk file, exit Kerio Firewall.

    When you have copied the snort rules in the bad-traffic.rlk file, restart Kerio, in the Kerio network intrusion prevention system (NIPS) > advanced > high risk > details you should see this:

    http://www.myfilestash.com/userfiles/Golddigger/Naamloos106.jpg
     
  10. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    Expert? Your having a laugh, surely. I know my way around the apps that i use. I've got a bit of knowledge but won't pretend to extend beyond my limits, which are not that high to be honest. But i'm a new user to Kerio, only been using it for a week so not got around to configuring rules and such yet. Yeah, i can assure you that i'm no expert, and won't pretend otherwise.

    muf
     
  11. Hulk

    Hulk Registered Member

    Joined:
    Aug 25, 2005
    Posts:
    40
    Well said and good for you - your not the only one who needs help with this, I opened up word to deal with this and have just moved back to Kerio after the buy out by sun aliance but also because someone on the Mcafee forum said they read that the Mcafee firewall can be disabled by a head on attack to which until yesterday I used, does - anyone else know about the Mcafee issue and if so any advise on this software and by the way happy new year.

    :)
     
  12. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    Calm down, Muf.:)

    When you know me just a little bit, you should know i was just making jokes;)
     
  13. Hulk

    Hulk Registered Member

    Joined:
    Aug 25, 2005
    Posts:
    40
    I know - sorry, had a bit to much of the old falling down water - but would like to know if the Mcafe claim has anything behind it.

    Thanks:doubt:
     
  14. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    I haven't hear anything about the McAfee issue, have neither the time to check it for you.

    Are at the moment very, very busy with testing snort rules for the Sunbelt Kerio Firewall, and maintain at the same times some forums about the WMF Exploit issue.

    To get a good functionating snort rule is the most important issue to me.
     
  15. Hulk

    Hulk Registered Member

    Joined:
    Aug 25, 2005
    Posts:
    40
    That's OK you need to do what you have to do and thats good for everyone but if you do hear anything can you please keep users in the know?, but in the time being I think I will use kerio myself.

    Thanks:thumb:
     
  16. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    Tested last night and this morning different rules, too me a one specific snort rule is functionating 100% but have to wait on results of others.
     
  17. BartFan

    BartFan Guest

  18. controler

    controler Guest

    Smokey

    Did you opt for the two seperate rules? ALL PORTS and WEB?
     
  19. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    ;)
    I am almost ready with bad-traffic.rlk

    Will upload it here in this thread 'cause the discussion is going on here all the time, complete instructions "how to" will be included.

    Have choose for the opt "All Ports", nice pro: system stay stable.

    Is the most secure solution, the web option is from a security-view not safe enough:)

    BTW: suggestions are always welcome!
     
  20. controler

    controler Guest

    Thank you Smokey

    I may have gotten confused again. The below statement might be for snort itself and not Kerio? Taken from here:

    http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/sigs/CURRENT_EVENTS/CURRENT_WMF_Exploit?view=markup

    I thought at first this was setup in Kerio Network Security, Packet Filter.



    Split WMF rule into two rules to cover larger exploit padding.

    Choose either All Ports or Web Only version. flow_depth (of http_inspect_server) has to be set to 0.
    # Recommend second Snort instance with that config.
     
  21. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    It IS indeed very confusing.

    I have leave it for what it is, no negative effects 'till yet.

    The modified snort rule is running fine on my machine.

    One rule for the Current WMF Exploit.
    Splitted in 2 rules is the EXPLOIT WMF Escape Record Exploit (all ports).

    In total this 3 rules will be added to the bad-traffic.rlk file.
     
  22. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    Sorry, i have removed the post/downloadlinks to the Sunbelt Snort Rules.

    Unexpected problems.

    Further evaluation necessary.

    Will be continued.....
     
    Last edited: Jan 1, 2006
  23. controler

    controler Guest

    Smokey

    You added the rulles from the Kerio site then and not the ones from the Snort site?

    SHould we remove them now?
     
  24. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    Remove NOTHING!!!

    The WMF Exploit Snort Rules are added to the standard rules.
    The Bleeding-Edge Snort Rules are only intended to protect you against the Exploit.

    The first 3 rules are the Snort Rules 1.7 in a modified way, because the original Snort Rules can cause connection problems.

    All other rules that follow belong to the Network Intrusion Prevention System (NIPS) too!
     
  25. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    Follow-up Sunbelt Kerio Personal Firewall Snort Rules here
     
Loading...
Thread Status:
Not open for further replies.