【翻译】使用规则使Kerio Firewall 阻止WMF exploit - 『计算机安全』

UID 860
精华 0
积分 161
帖子 115
威望 161
现金 82 币币
存款 0 币币
阅读权限 4
注册 2006-3-25
状态离线

发表于 2006-3-25 23:43 资料个人空间短消息加为好友

【翻译】使用规则使Kerio Firewall 阻止WMF exploit

Protect yourself from the WMF exploit using the Sunbelt Kerio Firewall

使用规则使Kerio Firewall 阻止 WMF exploit

翻译：RAY811 （转帖请注明）

A personal Blog have posted a snort rule to block all infected Windows Metafiles (WMF). We have tested this with our Kerio Firewall product and it does indeed work and block all of this nasty stuff.

一个私人的网站公布了一个可以阻止感染所有Windows Metafiles (WMF)的规则，经我们在Kerio防火墙的测试，确实此规则确实可以起到阻止WMF感染的作用。（此测试来自：Eric Sites －－RAY811）

when implemented into Sunbelt Kerio Personal Firewall, have been successful in blocking different variations of the WMF (Windows Metafile) exploit:

当这个规则在Sunbelt Kerio Personal Firewall执行后，可以成功的阻止多种WMF (Windows Metafile) exploit 的感染。

You can add these two rules into the “bad-traffic.rlk” file located at: C:\Program Files\Sunbelt Software\Personal Firewall 4\Config\IDSRules\

如何添加这条规则：（建议先退出Kerio防火墙－RAY811），然后添加下列方框内的两段规则到“bad-traffic.rlk”文件内（用记事本打开，建议大家先备份原文件，然后再更改－RAY811）。“bad-traffic.rlk”文件路径：
C:\Program Files\Sunbelt Software\Personal Firewall 4\Config\IDSRules\

QUOTE:
alert ip any any -> any any (msg: "COMPANY-LOCAL WMF Exploit"; content:"01 00 09 00 00 03 52 1f 00 00 06 00 3d 00 00 00"; content:"00 26 06 0f 00 08 00 ff ff ff ff 01 00 00 00 03 00 00 00 00 00"; reference: url,www.frsirt.com/exploits/20051228.ie_xp_pfv_metafile.pm.php; sid:2005122802; classtype:attempted-user; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT WMF Escape Record Exploit"; flow:established,from_server; content:"01 00 09 00 00 03"; depth:500; content:"00 00"; distance:10; within:12; content:"26 06 09 00"; within:5000; classtype:attempted-user; reference:url,www.frsirt.com/english/advisories/2005/3086; sid:2002733; rev:1;)

NIPS (Network Intrusion Prevention System) must be enabled.

如果使用这条规则，必须确定 Kerio的NIPS模块中的(Network Intrusion Prevention System) 功能是激活状态。

And you must restart the Sunbelt Kerio Firewall Service or reboot for these rules to take affect.

添加代码以后，建议重启系统。（虽然作者说重新启动KerioFirewall也可以，但还是建议大家重新启动系统。－RAY811）

These rules work in the Free or Full version of Sunbelt Kerio Firewall.

此规则可以在 Kerio 免费版和完整版执行。

懒的手动添加的朋友，可以下载我的附件。部分用户在使用此规则会出现无法打开IE页面的问题。因此附件二是原文件的备份，如果出现此问题，请把原文件拷入目录覆盖同名文件，重启系统即可恢复。－－RAY811

附件（一）是增强的可以阻止WMF exploit 的规则。

附件（二）是原始规则文件。