This is a temporary sig till we have more information. I’d recommend running it only on your Internet facing sensors. Discussion is very useful at the first reference link.

### EXPERIMENTAL ###
alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:”BLEEDING-EDGE CURRENT EVENTS MS DNS DCE-RPC Temporary Rule - Possible Attack”; flow:established; content:”|a4 c2 ab 50 4d 57 b3 40 9d 66 ee 4f d5 fb a0 76|”; classtype:attempted-admin; reference:url,erratasec.blogspot.com/2007/04/news-from-microsoft-dns-0day-being.html; reference:url,isc.sans.org/diary.html?storyid=2627; sid:2003587; rev:3;)

Please report and falses asap.

Matt

This entry was posted on Friday, April 13th, 2007 at 7:45 pm and is filed under General, New Rules. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.