Sunbelt Kerio Personal Firewall: additional WMF Exploit Defense Layer

SUNBELT KERIO PERSONAL FIREWALL ADDITIONAL WMF EXPLOIT DEFENSE LAYER


With the most recent facts about the WMF Exploit and the growing variants of the trojan i had no other choice than drawing back my previous post with included download-possibily for the Sunbelt Kerio Snort Rules.

These Snort Rules are a modified version of the original Bleeding-Edges Snort Rules, because BE- Snort Rules are not stable.

Our modified version is stable, we have tested it thoroughly.

This afternoon i have discussed with the fellow-members of the CastleCop Sunbelt Kerio Snort Team how to handle.

With the WMF variants there is in fact not an acceptable solution possible, you are always walking behind the facts/new variants and protection against these nasties.

At this time we know, that there is only one real trustable and safe protection possible against the Exploit: with Ilfak Guilfanov's patch.

In that point we were all the same opinion.

We didn't want to offer something that can't protect you 100% against the growing WMF variants.

On the other hand, an extra defense layer against this very dangerous Exploit can't hurt.

We have decided, to open again the downloadlink, but we are doing that with the following remarks:

- We want to make clear, that only Guilfanov's patch will protect you effective.
- We offer you the modified Snort Rules ("all ports") as an interem measure untill Microsoft offer us a final and secure patch that will protect us in a effectve way.
- The Snort Rules will not give you 100% protection, it is an additional defense layer.
- Using the Snort Rules is at your own risk.
- We strongly advice you, to change nothing in the Snort Rules (bad-traffic.rlk).
- Readmefirst.txt is enclosed together with the bad-traffic.rlk in the ZIP file. Read it!


Guilfanov website and downloadlink patch: here

I don't give the direct downloadlink, it's important that you first read the instruction's on Guilfanov's site


Downloadlink modified Snort Rules#1: xxxx
Downloadlink modified Snort Rules#2: xxxx

Links removed, reason: better version available.

See post #3.


Enjoy yourself!

Smokey and The CastleCops Team

 

I cannot connect to any websites using the new snort rules. Every time I try, I get an incoming "EXPLOIT WMF Escape Record Exploit". The previous snort rules worked fine. Am I doing anything wrong?

 

Try this version of bad-traffic.rlk and please report me it's working fine or not.

Downloadlink here

 

It's working fine thank you.

 

You are welcome