EmergingThreats> Main Web>2003587 (2007-05-25, TomaszGrudziecki?) EditAttach

alert tcp $EXTERNAL_NET any -> $DNS_SERVERS 1024:5000 (msg:"BLEEDING-EDGE CURRENT EVENTS MS DNS DCE-RPC Temporary Rule - Possible Attack"; flow:established; content:"|a4 c2 ab 50 4d 57 b3 40 9d 66 ee 4f d5 fb a0 76|"; classtype:attempted-admin; reference:url,erratasec.blogspot.com/2007/04/news-from-microsoft-dns-0day-being.html; reference:url,isc.sans.org/diary.html?storyid=2627; sid:2003587; rev:5;)

Added 2007-05-03 16:30:19 UTC

Hmm, not sure I would have gone w/ $DNS_SERVERS for the destination. Many organizations may have Windows servers running DNS over RPC that are not explicitly DNS servers, but rather Domain Controllers etc.

-- BenFeinstein - 03 May 2007

We have seen many packets with destination port 445/TCP, that match this rule. These packets included also in payloads a shellcode (hex): "|5c 5c 5c 5c 5c ...| (and so on)".

-- TomaszGrudziecki? - 24 May 2007

Did the sourcefire rules hit at the same time? Interested if the coverage is good from theirs, so we could drop this one later.

-- MattJonkman - 24 May 2007

At the same time only Bleedeng-Edge 2002903 hit (EXPLOIT x86 PexFnstenvMov?/Sub Encoder). I have attached TCPDumps (see below). Sorry, I have edited attacked IP (my company's security policy rules), but attacker IP haven't been changed.

-- TomaszGrudziecki? - 25 May 2007


alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:5000 (msg:"BLEEDING-EDGE CURRENT EVENTS MS DNS DCE-RPC Temporary Rule - Possible Attack"; flow:established; content:"|a4 c2 ab 50 4d 57 b3 40 9d 66 ee 4f d5 fb a0 76|"; classtype:attempted-admin; reference:url,erratasec.blogspot.com/2007/04/news-from-microsoft-dns-0day-being.html; reference:url,isc.sans.org/diary.html?storyid=2627; sid:2003587; rev:4;)

Added 2007-04-13 19:15:18 UTC

Forgot the pipes in the content match.

-- MattJonkman - 15 Apr 2007

Also see MSRpcDns? for other related sigs

-- MattJonkman - 17 Apr 2007


alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:5000 (msg:"BLEEDING-EDGE CURRENT EVENTS MS DNS DCE-RPC Temporary Rule - Possible Attack"; flow:established; content:"a4 c2 ab 50 4d 57 b3 40 9d 66 ee 4f d5 fb a0 76"; classtype:attempted-admin; reference:url,erratasec.blogspot.com/2007/04/news-from-microsoft-dns-0day-being.html; reference:url,isc.sans.org/diary.html?storyid=2627; sid:2003587; rev:3;)

Added 2007-04-13 18:18:39 UTC

As per MS bulletin, limiting to ports 1024:5000. Should keep load down, although this won't be a big load rule anyway.

-- MattJonkman - 13 Apr 2007


alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"BLEEDING-EDGE CURRENT EVENTS MS DNS DCE-RPC Temporary Rule - Possible Attack"; flow:established; content:"a4 c2 ab 50 4d 57 b3 40 9d 66 ee 4f d5 fb a0 76"; classtype:attempted-admin; reference:url,erratasec.blogspot.com/2007/04/news-from-microsoft-dns-0day-being.html; reference:url,isc.sans.org/diary.html?storyid=2627; sid:2003587; rev:2;)

Added 2007-04-13 18:00:30 UTC

Just added 65535 to the port range for clarity.

Investigating if this could be limited to 1024:5000... more shortly

-- MattJonkman - 13 Apr 2007


alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"BLEEDING-EDGE CURRENT EVENTS MS DNS DCE-RPC Temporary Rule - Possible Attack"; flow:established; content:"a4 c2 ab 50 4d 57 b3 40 9d 66 ee 4f d5 fb a0 76"; classtype:attempted-admin; reference:url,erratasec.blogspot.com/2007/04/news-from-microsoft-dns-0day-being.html; reference:url,isc.sans.org/diary.html?storyid=2627; sid:2003587; rev:1;)

Added 2007-04-13 15:45:23 UTC

Excerpt from the blog entry referenced in the sig:

One possible signature for intrusion detection would be to simply trigger on the GUID of {50abc2a4-574d-40b3-9d66-ee4fd5fba076}. In a protocol-analysis system, like Proventia, you could simply add that to the blacklisted GUIDs. In a pattern-match system, you can enter something like:

alert tcp any any -> any 1024: (msg:"DNS DCE-RPC exploit emergency rule"; content:"a4 c2 ab 50 4d 57 b3 40 9d 66 ee 4f d5 fb a0 76"; sid:9999; )

Note that the exploit, and its evasions, are a bit more complicated than just this, so you shouldn't rely upon the above pattern signature catching everything.

-- MattJonkman - 13 Apr 2007


  • tcpdump_445.txt: TCPDump (txt), destination port: 445/TCP, hit this rule and also 2002903

  • tcpdump_1025.txt: TCPDump (txt), destination port: 1025/TCP, hit this rule and also 2002903
Topic attachments
I Attachment Action Size Date Who Comment
Texttxt tcpdump_1025.txt manage 16.2 K 2007-05-25 - 08:58 UnknownUser TCPDump (txt), destination port: 1025/TCP, hit this rule and also 2002903
Texttxt tcpdump_445.txt manage 19.9 K 2007-05-25 - 08:58 UnknownUser TCPDump (txt), destination port: 445/TCP, hit this rule and also 2002903
Topic revision: r8 - 2007-05-25 - TomaszGrudziecki?
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats