alert tcp $EXTERNAL_NET any -> $DNS_SERVERS 1024:5000 (msg:"BLEEDING-EDGE CURRENT EVENTS MS DNS DCE-RPC Temporary Rule - Possible Attack"; flow:established; content:"|a4 c2 ab 50 4d 57 b3 40 9d 66 ee 4f d5 fb a0 76|"; classtype:attempted-admin; reference:url,erratasec.blogspot.com/2007/04/news-from-microsoft-dns-0day-being.html; reference:url,isc.sans.org/diary.html?storyid=2627; sid:2003587; rev:5;)
Added 2007-05-03 16:30:19 UTC
Hmm, not sure I would have gone w/ $DNS_SERVERS for the destination. Many organizations may have Windows servers running DNS over RPC that are not explicitly DNS servers, but rather Domain Controllers etc.
--
BenFeinstein - 03 May 2007
We have seen many packets with destination port 445/TCP, that match this rule. These packets included also in payloads a shellcode (hex): "|5c 5c 5c 5c 5c ...| (and so on)".
--
TomaszGrudziecki? - 24 May 2007
Did the sourcefire rules hit at the same time? Interested if the coverage is good from theirs, so we could drop this one later.
--
MattJonkman - 24 May 2007
alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:5000 (msg:"BLEEDING-EDGE CURRENT EVENTS MS DNS DCE-RPC Temporary Rule - Possible Attack"; flow:established; content:"|a4 c2 ab 50 4d 57 b3 40 9d 66 ee 4f d5 fb a0 76|"; classtype:attempted-admin; reference:url,erratasec.blogspot.com/2007/04/news-from-microsoft-dns-0day-being.html; reference:url,isc.sans.org/diary.html?storyid=2627; sid:2003587; rev:4;)
Added 2007-04-13 19:15:18 UTC
Forgot the pipes in the content match.
--
MattJonkman - 15 Apr 2007
Also see
MSRpcDns? for other related sigs
--
MattJonkman - 17 Apr 2007
alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:5000 (msg:"BLEEDING-EDGE CURRENT EVENTS MS DNS DCE-RPC Temporary Rule - Possible Attack"; flow:established; content:"a4 c2 ab 50 4d 57 b3 40 9d 66 ee 4f d5 fb a0 76"; classtype:attempted-admin; reference:url,erratasec.blogspot.com/2007/04/news-from-microsoft-dns-0day-being.html; reference:url,isc.sans.org/diary.html?storyid=2627; sid:2003587; rev:3;)
Added 2007-04-13 18:18:39 UTC
As per MS bulletin, limiting to ports 1024:5000. Should keep load down, although this won't be a big load rule anyway.
--
MattJonkman - 13 Apr 2007
alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"BLEEDING-EDGE CURRENT EVENTS MS DNS DCE-RPC Temporary Rule - Possible Attack"; flow:established; content:"a4 c2 ab 50 4d 57 b3 40 9d 66 ee 4f d5 fb a0 76"; classtype:attempted-admin; reference:url,erratasec.blogspot.com/2007/04/news-from-microsoft-dns-0day-being.html; reference:url,isc.sans.org/diary.html?storyid=2627; sid:2003587; rev:2;)
Added 2007-04-13 18:00:30 UTC
Just added 65535 to the port range for clarity.
Investigating if this could be limited to 1024:5000... more shortly
--
MattJonkman - 13 Apr 2007
alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"BLEEDING-EDGE CURRENT EVENTS MS DNS DCE-RPC Temporary Rule - Possible Attack"; flow:established; content:"a4 c2 ab 50 4d 57 b3 40 9d 66 ee 4f d5 fb a0 76"; classtype:attempted-admin; reference:url,erratasec.blogspot.com/2007/04/news-from-microsoft-dns-0day-being.html; reference:url,isc.sans.org/diary.html?storyid=2627; sid:2003587; rev:1;)
Added 2007-04-13 15:45:23 UTC
Excerpt from the blog entry referenced in the sig:
One possible signature for intrusion detection would be to simply trigger on the GUID of {50abc2a4-574d-40b3-9d66-ee4fd5fba076}. In a protocol-analysis system, like Proventia, you could simply add that to the blacklisted GUIDs. In a pattern-match system, you can enter something like:
alert tcp any any -> any 1024: (msg:"DNS DCE-RPC exploit emergency rule"; content:"a4 c2 ab 50 4d 57 b3 40 9d 66 ee 4f d5 fb a0 76"; sid:9999; )
Note that the exploit, and its evasions, are a bit more complicated than just this, so you shouldn't rely upon the above pattern signature catching everything.
--
MattJonkman - 13 Apr 2007