Frank Knobbe from bleedingsnort.com sent us some new and improved rules for the WMF exploit. As you can tell by the various itterations we went through, a lot of work went into these rules.
First a couple notes about these rules:
In its simplest case, you may want to limit the rules to port 80 (or $HTTP_PORTS, which typically maps to ports used by web servers). But realize, that this only works if you block access to other ports at your firewall. Otherwise, its trivial to just run a web server on an odd port, and link to the image on the odd port.
Here the rule developed by the Bleedingsnort team:
(to avoid copy/paste issues, see the bleedingsnort CVS repository
Dec 30th 2005
1 decade ago