Snort signature for VML exploit -- works with Kerio or other IDS

Here’s a snort signature for the VML exploit from BleedingEdge Snort.

# Submitted 2006-09-19 by Chris Harrington

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Possible MSIE VML Exploit"; flow:established,from_server; content:""; nocase; reference:url,sunbeltblog.blogspot.com/2006/09/seen-in-wild-zero-day-exploit-being.html; classtype:misc-attack; sid:2003106; rev:1;)

To use this signature in our Kerio firewall: You can add these rules into the “bad-traffic.rlk” file located at: C:\Program Files\Sunbelt Software\Personal Firewall 4\Config\IDSRules.

NIPS (Network Intrusion Prevention System) must be enabled. And you must restart the Sunbelt Kerio Firewall Service or reboot for these rules to take affect.

This signature will likely generate false positives but it’s one remediation. Check the BleedingEdge Snort website for updates, if any.

These rules work in the Free or Full version of Sunbelt Kerio Firewall. (Note: These are non-commercial signatures and there are no guarantees.)