topic Anyone come up with a custom sig for WMF Exploit? in Network Security https://community.cisco.com/t5/network-security/anyone-come-up-with-a-custom-sig-for-wmf-exploit/m-p/488023#M90829 <P>Based on bleeding snort sid, this is what I've got, but it doesn't seem to be working:</P><P>wmf exploit file:</P><P>\x01\x00\x09\x00\x00\x03.{10}\x00\x00.{0, 5000}\x26\x06\x09\x00</P><P></P> Sun, 10 Mar 2019 09:49:05 GMT mmoulder16 2019-03-10T09:49:05Z Anyone come up with a custom sig for WMF Exploit? https://community.cisco.com/t5/network-security/anyone-come-up-with-a-custom-sig-for-wmf-exploit/m-p/488023#M90829 <P>Based on bleeding snort sid, this is what I've got, but it doesn't seem to be working:</P><P>wmf exploit file:</P><P>\x01\x00\x09\x00\x00\x03.{10}\x00\x00.{0, 5000}\x26\x06\x09\x00</P><P></P> Sun, 10 Mar 2019 09:49:05 GMT https://community.cisco.com/t5/network-security/anyone-come-up-with-a-custom-sig-for-wmf-exploit/m-p/488023#M90829 mmoulder16 2019-03-10T09:49:05Z Re: Anyone come up with a custom sig for WMF Exploit? https://community.cisco.com/t5/network-security/anyone-come-up-with-a-custom-sig-for-wmf-exploit/m-p/488024#M90830 <HTML><HEAD></HEAD><BODY><P>Signature 5693-1 which was released in S210 addresses this vulnerability.</P></BODY></HTML> Thu, 29 Dec 2005 21:45:46 GMT https://community.cisco.com/t5/network-security/anyone-come-up-with-a-custom-sig-for-wmf-exploit/m-p/488024#M90830 craiwill 2005-12-29T21:45:46Z Re: Anyone come up with a custom sig for WMF Exploit? https://community.cisco.com/t5/network-security/anyone-come-up-with-a-custom-sig-for-wmf-exploit/m-p/488025#M90831 <HTML><HEAD></HEAD><BODY><P>I installed release S211 (modified 5693-1 signature) and attempted to download an WMF file across the sensor, but the signature did not fire. What causes the WMF signature to fire?</P></BODY></HTML> Wed, 04 Jan 2006 15:49:20 GMT https://community.cisco.com/t5/network-security/anyone-come-up-with-a-custom-sig-for-wmf-exploit/m-p/488025#M90831 tami.martin 2006-01-04T15:49:20Z Re: Anyone come up with a custom sig for WMF Exploit? https://community.cisco.com/t5/network-security/anyone-come-up-with-a-custom-sig-for-wmf-exploit/m-p/488026#M90832 <HTML><HEAD></HEAD><BODY><P>This signature fires upon detecting a malicious wmf file downloaded from a web server running on a port specified in the #WEBPORTS variable. </P></BODY></HTML> Wed, 04 Jan 2006 16:06:17 GMT https://community.cisco.com/t5/network-security/anyone-come-up-with-a-custom-sig-for-wmf-exploit/m-p/488026#M90832 craiwill 2006-01-04T16:06:17Z