Using Snort, the wmf exploit can be detected with these set of rules.
# This Rule
alert tcp any $HTTP_PORTS -> any any (sid:1006182; flow:from_server,
established; content:”HTTP|2F|1|2E|”; nocase; depth: 0;
content:”200 OK”; nocase; within:8;
flowbits: set,HTTPSTREAM;flowbits:noalert; classtype:VM;)
# Identifies the HTTP stream for these rules
alert tcp any $HTTP_PORTS -> any any (sid:1006183;
flowbits: isset, HTTPSTREAM;
flowbits:isnotset, WMF; content:”HTTP|2F|1|2E|”; nocase; depth: 0;
content:”200 OK”; nocase; within:8; content:”|0D 0A 0D 0A|”;
pcre:”/.{0,8}[x01x02]x00x09x00x00x03/AR”;
flowbits:set,WMF; flowbits:noalert; classtype:VM;)
alert tcp any $HTTP_PORTS -> any any (sid:1006185;
flowbits: isset, HTTPSTREAM; flowbits:isnotset, WMF;
content:”|00 09 00 00 03|”; distance: 1;
pcre:”/[x01x02]x00x09x00x00x03/”; flowbits:set,WMF;
flowbits:noalert; classtype:VM;)
#Which identifies a WMF for this rule
alert tcp any $HTTP_PORTS -> any any (sid:1006187;flowbits:isset,WMF;
content:”|26 06 09 00|”; classtype: VM;)
The rules were taken from ISC.SANS.ORG.
For those who are not familiar with Snort, here is a definition from www.snort.org: Snort is an open source network intrusion prevention and detection system utilizing a rule-driven language, which combines the benefits of signature, protocol and anomaly based inspection methods. With millions of downloads to date, Snort is the most widely deployed intrusion detection and prevention technology worldwide and has become the de facto standard for the industry.
Find more about snort here.