Here’s a snort signature for the VML exploit from BleedingEdge Snort.
# Submitted 2006-09-19 by Chris Harrington
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:”BLEEDING-EDGE EXPLOIT Possible MSIE VML Exploit”; flow:established,from_server; content:”<html xmlns|3a|v=|22|urn|3a|schemas-microsoft-com|3a|vml|22|>”; nocase; reference:url,sunbeltblog.blogspot.com/2006/09/seen-in-wild-zero-day-exploit-being.html; classtype:misc-attack; sid:2003106; rev:1;)
To use this signature in our Kerio firewall: You can add these rules into the “bad-traffic.rlk” file located at: C:Program FilesSunbelt SoftwarePersonal Firewall 4ConfigIDSRules.
NIPS (Network Intrusion Prevention System) must be enabled. And you must restart the Sunbelt Kerio Firewall Service or reboot for these rules to take affect.
This signature will likely generate false positives but it’s one remediation. Check the BleedingEdge Snort website for updates, if any.
These rules work in the Free or Full version of Sunbelt Kerio Firewall. (Note: These are non-commercial signatures and there are no guarantees.)
Alex Eckelberry