alert tcp $EXTERNAL_NET any -> $DNS_SERVERS 1024:5000 (msg:"BLEEDING-EDGE CURRENT EVENTS MS DNS DCE-RPC Temporary Rule - Possible Attack"; flow:established; content:"|a4 c2 ab 50 4d 57 b3 40 9d 66 ee 4f d5 fb a0 76|"; classtype:attempted-admin; reference:url,erratasec.blogspot.com/2007/04/news-from-microsoft-dns-0day-being.html; reference:url,isc.sans.org/diary.html?storyid=2627; sid:2003587; rev:5;)

Added 2007-05-03 16:30:19 UTC

Hmm, not sure I would have gone w/ $DNS_SERVERS for the destination. Many organizations may have Windows servers running DNS over RPC that are not explicitly DNS servers, but rather Domain Controllers etc.

-- BenFeinstein - 03 May 2007

We have seen many packets with destination port 445/TCP, that match this rule. These packets included also in payloads a shellcode (hex): "|5c 5c 5c 5c 5c ...| (and so on)".

-- TomaszGrudziecki? - 24 May 2007

Did the sourcefire rules hit at the same time? Interested if the coverage is good from theirs, so we could drop this one later.

-- MattJonkman - 24 May 2007

alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:5000 (msg:"BLEEDING-EDGE CURRENT EVENTS MS DNS DCE-RPC Temporary Rule - Possible Attack"; flow:established; content:"|a4 c2 ab 50 4d 57 b3 40 9d 66 ee 4f d5 fb a0 76|"; classtype:attempted-admin; reference:url,erratasec.blogspot.com/2007/04/news-from-microsoft-dns-0day-being.html; reference:url,isc.sans.org/diary.html?storyid=2627; sid:2003587; rev:4;)

Added 2007-04-13 19:15:18 UTC

Forgot the pipes in the content match.

-- MattJonkman - 15 Apr 2007

Also see MSRpcDns? for other related sigs

-- MattJonkman - 17 Apr 2007

alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:5000 (msg:"BLEEDING-EDGE CURRENT EVENTS MS DNS DCE-RPC Temporary Rule - Possible Attack"; flow:established; content:"a4 c2 ab 50 4d 57 b3 40 9d 66 ee 4f d5 fb a0 76"; classtype:attempted-admin; reference:url,erratasec.blogspot.com/2007/04/news-from-microsoft-dns-0day-being.html; reference:url,isc.sans.org/diary.html?storyid=2627; sid:2003587; rev:3;)

Added 2007-04-13 18:18:39 UTC

As per MS bulletin, limiting to ports 1024:5000. Should keep load down, although this won't be a big load rule anyway.

-- MattJonkman - 13 Apr 2007

alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"BLEEDING-EDGE CURRENT EVENTS MS DNS DCE-RPC Temporary Rule - Possible Attack"; flow:established; content:"a4 c2 ab 50 4d 57 b3 40 9d 66 ee 4f d5 fb a0 76"; classtype:attempted-admin; reference:url,erratasec.blogspot.com/2007/04/news-from-microsoft-dns-0day-being.html; reference:url,isc.sans.org/diary.html?storyid=2627; sid:2003587; rev:2;)

Added 2007-04-13 18:00:30 UTC

Just added 65535 to the port range for clarity.

Investigating if this could be limited to 1024:5000... more shortly

-- MattJonkman - 13 Apr 2007

alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"BLEEDING-EDGE CURRENT EVENTS MS DNS DCE-RPC Temporary Rule - Possible Attack"; flow:established; content:"a4 c2 ab 50 4d 57 b3 40 9d 66 ee 4f d5 fb a0 76"; classtype:attempted-admin; reference:url,erratasec.blogspot.com/2007/04/news-from-microsoft-dns-0day-being.html; reference:url,isc.sans.org/diary.html?storyid=2627; sid:2003587; rev:1;)

Added 2007-04-13 15:45:23 UTC

Excerpt from the blog entry referenced in the sig:

One possible signature for intrusion detection would be to simply trigger on the GUID of {50abc2a4-574d-40b3-9d66-ee4fd5fba076}. In a protocol-analysis system, like Proventia, you could simply add that to the blacklisted GUIDs. In a pattern-match system, you can enter something like:

alert tcp any any -> any 1024: (msg:"DNS DCE-RPC exploit emergency rule"; content:"a4 c2 ab 50 4d 57 b3 40 9d 66 ee 4f d5 fb a0 76"; sid:9999; )

Note that the exploit, and its evasions, are a bit more complicated than just this, so you shouldn't rely upon the above pattern signature catching everything.

-- MattJonkman - 13 Apr 2007