VRT Advisories

VRT Rules 2005-12-30

Sourcefire VRT Update

Date: 2005-12-30


The Sourcefire Vulnerability Research Team (VRT) has learned of multiple vulnerabilities affecting hosts using the Microsoft operating system. The VRT has also learned of a new Sober worm variant that displays uniquely detectable infection characteristics.


The Microsoft Windows graphics rendering engine does not correctly parse windows metafile (wmf) format files. As a result, viewing a corrupted file may present an attacker with the opportunity to execute code of their choosing.

The Sourcefire VRT has confirmed that a rule identified as sid 2436, released on May 21, 2004, will generate events when an attempt is made to exploit this vulnerability. Also, rules to detect attacks targeting this vulnerability are included in this update and are identified as sids 5318 and 5319.

Note: Due to the possibility of a high false positive rate, sid 5318 is not enabled by default.

WARNING: To reduce the possibility of evasion, http_inspect needs to be configured with "flow_depth 0" so that it can inspect all the traffic from HTTP server responses. Setting flow_depth 0 will cause performance problems in some situations.

The Sober worm is a mass mailer normally spread via email. A variant of this worm displays more infection indicators that can be detected easily using rules.

Rules to detect machines infected with this variant of the sober worm are included in this update and are identified as sids 5321 through 5323.

Rule Pack Summary:

For a complete list of new and modified rules, click here.


Sourcefire VRT rule packs often utilize enhancements made to Snort. Operators should upgrade to the latest revision or patch level for Snort to ensure these enhancements are available before using these rules.

About the VRT:

The Sourcefire VRT is a group of leading edge intrusion detection and prevention experts working to proactively discover, assess and respond to the latest trends in hacking activity, intrusion attempts and vulnerabilities. This team is also supported by the vast resources of the open source Snort community, making it the largest group dedicated to advances in network security industry.