Advertisement
Guest User

dnsbl_share.rules

a guest
Jul 31st, 2015
2,975
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 19.05 KB | None | 0 0
  1. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain hopto.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|hopto|03|org|00|"; fast_pattern:only; metadata:service dns; sid:1000000; rev:1;)
  2. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain no-ip.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|no-ip|03|org|00|"; fast_pattern:only; metadata:service dns; sid:1000001; rev:1;)
  3. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain no-ip.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|no-ip|04|info|00|"; fast_pattern:only; metadata:service dns; sid:1000002; rev:1;)
  4. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain no-ip.biz"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|no-ip|03|biz|00|"; fast_pattern:only; metadata:service dns; sid:1000003; rev:1;)
  5. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain no-ip.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|no-ip|03|com|00|"; fast_pattern:only; metadata:service dns; sid:1000004; rev:1;)
  6. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain noip.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|noip|03|com|00|"; fast_pattern:only; metadata:service dns; sid:1000005; rev:1;)
  7. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain ddns.name"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|ddns|04|name|00|"; fast_pattern:only; metadata:service dns; sid:1000006; rev:1;)
  8. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain myftp.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|myftp|03|org|00|"; fast_pattern:only; metadata:service dns; sid:1000007; rev:1;)
  9. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain myftp.biz"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|myftp|03|biz|00|"; fast_pattern:only; metadata:service dns; sid:1000008; rev:1;)
  10. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain serveblog.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|serveblog|03|net|00|"; fast_pattern:only; metadata:service dns; sid:1000009; rev:1;)
  11. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain servebeer.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|servebeer|03|com|00|"; fast_pattern:only; metadata:service dns; sid:1000010; rev:1;)
  12. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain servemp3.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|servebeer|03|com|00|"; fast_pattern:only; metadata:service dns; sid:1000011; rev:1;)
  13. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain serveftp.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|serveftp|03|com|00|"; fast_pattern:only; metadata:service dns; sid:1000012; rev:1;)
  14. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain servequake.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|servequake|03|com|00|"; fast_pattern:only; metadata:service dns; sid:1000013; rev:1;)
  15. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain servehalflife.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|servehalflife|03|com|00|"; fast_pattern:only; metadata:service dns; sid:1000014; rev:1;)
  16. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain servehttp.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|servehttp|03|com|00|"; fast_pattern:only; metadata:service dns; sid:1000015; rev:1;)
  17. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain servegame.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|servegame|03|com|00|"; fast_pattern:only; metadata:service dns; sid:1000016; rev:1;)
  18. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain servepics.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|servepics|03|com"; fast_pattern:only; metadata:service dns; sid:1000017; rev:1;)
  19. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain myvnc.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|myvnc|03|com|00|"; fast_pattern:only; metadata:service dns; sid:1000018; rev:1;)
  20. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain ignorelist.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|ignorelist|03|com|00|"; fast_pattern:only; metadata:service dns; sid:1000019; rev:1;)
  21. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain jkub.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|jkub|03|com|00|"; fast_pattern:only; metadata:service dns; sid:1000020; rev:1;)
  22. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain dlinkddns.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|dlinkddns|03|com|00|"; fast_pattern:only; metadata:service dns; sid:1000021; rev:1;)
  23. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain jumpingcrab.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|jumpingcrab|03|com|00|"; fast_pattern:only; metadata:service dns; sid:1000022; rev:1;)
  24. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain ddns.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|ddns|04|info|00|"; fast_pattern:only; metadata:service dns; sid:1000023; rev:1;)
  25. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain mooo.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|mooo|03|com|00|"; fast_pattern:only; metadata:service dns; sid:1000024; rev:1;)
  26. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain dns-dns.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|dns-dns|03|com|00|"; fast_pattern:only; metadata:service dns; sid:1000025; rev:1;)
  27. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain strangled.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|strangled|03|net|00|"; fast_pattern:only; metadata:service dns; sid:1000026; rev:1;)
  28. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain ddns.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|ddns|04|info|00|"; fast_pattern:only; metadata:service dns; sid:1000027; rev:1;)
  29. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain adultdns.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|adultdns|03|net|00|"; fast_pattern:only; metadata:service dns; sid:1000028; rev:1;)
  30. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain craftx.biz"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|craftx|03|biz|00|"; fast_pattern:only; metadata:service dns; sid:1000029; rev:1;)
  31. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain ddns01.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|ddns01|03|com|00|"; fast_pattern:only; metadata:service dns; sid:1000030; rev:1;)
  32. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain dns53.biz"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|dns53|03|biz|00|"; fast_pattern:only; metadata:service dns; sid:1000031; rev:1;)
  33. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain dnsapi.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|dnsapi|04|info|00|"; fast_pattern:only; metadata:service dns; sid:1000032; rev:1;)
  34. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain dnsd.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|dnsd|04|info|00|"; fast_pattern:only; metadata:service dns; sid:1000033; rev:1;)
  35. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain dnsdynamic.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|dnsdynamic|03|com|00|"; fast_pattern:only; metadata:service dns; sid:1000034; rev:1;)
  36. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain dnsdynamic.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|dnsdynamic|03|net|00|"; fast_pattern:only; metadata:service dns; sid:1000035; rev:1;)
  37. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain dnsget.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|dnsget|03|org|00|"; fast_pattern:only; metadata:service dns; sid:1000036; rev:1;)
  38. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain fe100.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|fe100|03|net|00|"; fast_pattern:only; metadata:service dns; sid:1000037; rev:1;)
  39. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain flashserv.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|flashserv|03|net|00|"; fast_pattern:only; metadata:service dns; sid:1000038; rev:1;)
  40. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain ftp21.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|ftp21|03|net|00|"; fast_pattern:only; metadata:service dns; sid:1000039; rev:1;)
  41. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain http01.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|http01|03|com|00|"; fast_pattern:only; metadata:service dns; sid:1000040; rev:1;)
  42. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain http80.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|http80|04|info|00|"; fast_pattern:only; metadata:service dns; sid:1000041; rev:1;)
  43. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain https443.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|https443|03|com|00|"; fast_pattern:only; metadata:service dns; sid:1000042; rev:1;)
  44. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain imap01.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|imap01|03|com|00|"; fast_pattern:only; metadata:service dns; sid:1000043; rev:1;)
  45. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain kadm5.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|kadm5|03|com|00|"; fast_pattern:only; metadata:service dns; sid:1000044; rev:1;)
  46. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain mysq1.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|mysq1|03|net|00|"; fast_pattern:only; metadata:service dns; sid:1000045; rev:1;)
  47. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain ns360.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|ns360|04|info|00|"; fast_pattern:only; metadata:service dns; sid:1000046; rev:1;)
  48. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain ntdll.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|ntdll|03|net|00|"; fast_pattern:only; metadata:service dns; sid:1000047; rev:1;)
  49. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain ole32.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|ole32|03|com|00|"; fast_pattern:only; metadata:service dns; sid:1000048; rev:1;)
  50. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain proxy8080.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|proxy8080|03|com|00|"; fast_pattern:only; metadata:service dns; sid:1000049; rev:1;)
  51. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain sql01.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|sql01|03|com|00|"; fast_pattern:only; metadata:service dns; sid:1000050; rev:1;)
  52. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain ssh01.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|ssh01|03|com|00|"; fast_pattern:only; metadata:service dns; sid:1000051; rev:1;)
  53. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain ssh22.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|ssh22|03|net|00|"; fast_pattern:only; metadata:service dns; sid:1000052; rev:1;)
  54. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain tempors.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|tempors|03|com|00|"; fast_pattern:only; metadata:service dns; sid:1000053; rev:1;)
  55. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain tftpd.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|tftpd|03|net|00|"; fast_pattern:only; metadata:service dns; sid:1000054; rev:1;)
  56. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain ttl60.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|ttl60|03|com|00|"; fast_pattern:only; metadata:service dns; sid:1000055; rev:1;)
  57. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain ttl60.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|ttl60|03|org|00|"; fast_pattern:only; metadata:service dns; sid:1000056; rev:1;)
  58. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain user32.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|user32|03|com|00|"; fast_pattern:only; metadata:service dns; sid:1000057; rev:1;)
  59. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain voip01.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|voip01|03|com|00|"; fast_pattern:only; metadata:service dns; sid:1000058; rev:1;)
  60. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain wow64.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|wow64|03|net|00|"; fast_pattern:only; metadata:service dns; sid:1000059; rev:1;)
  61. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain x64.me"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|x64|02|me|00|"; fast_pattern:only; metadata:service dns; sid:1000060; rev:1;)
  62. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain xns01.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|xns01|03|com|00|"; fast_pattern:only; metadata:service dns; sid:1000061; rev:1;)
  63. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain dyndns.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|dyndns|03|org|00|"; fast_pattern:only; metadata:service dns; sid:1000062; rev:1;)
  64. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain dyndns.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|dyndns|04|info|00|"; fast_pattern:only; metadata:service dns; sid:1000063; rev:1;)
  65. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain dyndns.tv"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|dyndns|02|tv|00|"; fast_pattern:only; metadata:service dns; sid:1000064; rev:1;)
  66. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain dyndns-at-home.com "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|dyndns-at-home|03|com"; fast_pattern:only; metadata:service dns; sid:1000065; rev:1;)
  67. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain sytes.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|sytes|03|net|00|"; fast_pattern:only; metadata:service dns; sid:1000066; rev:1;)
  68. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain dnsomatic.com "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|dnsomatic|03|com|00|"; fast_pattern:only; metadata:service dns; sid:1000067; rev:1;)
  69. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain zapto.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|zapto|03|org|00|"; fast_pattern:only; metadata:service dns; sid:1000068; rev:1;)
  70. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain webhop.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|webhop|03|net|00|"; fast_pattern:only; metadata:service dns; sid:1000069; rev:1;)
  71. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain 25u.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|25u|03|com|00|"; fast_pattern:only; metadata:service dns; sid:1000070; rev:1;)
  72. alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE query to known dynamic DNS domain slyip.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|slyip|03|net|00|"; fast_pattern:only; metadata:service dns; sid:1000071; rev:1;)
  73. alert udp $HOME_NET any -> any 53 (msg:"INDICATOR-COMPROMISE Suspicious .to dns query"; flow:to_server; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|to|00|"; distance:0; fast_pattern; metadata:service dns; classtype:trojan-activity; sid:1000072; rev:1; )
  74. alert udp $HOME_NET any -> any 53 (msg:"INDICATOR-COMPROMISE Suspicious .pl dns query"; flow:to_server; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|pl|00|"; distance:0; fast_pattern; metadata:service dns; classtype:trojan-activity; sid:1000073; rev:1; )
  75. alert udp $HOME_NET any -> any 53 (msg:"INDICATOR-COMPROMISE Suspicious .tw dns query"; flow:to_server; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|tw|00|"; distance:0; fast_pattern; metadata:service dns; classtype:trojan-activity; sid:1000074; rev:1; )
  76. alert udp $HOME_NET any -> any 53 (msg:"INDICATOR-COMPROMISE Suspicious .tk dns query"; flow:to_server; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|tk|00|"; distance:0; fast_pattern; metadata:service dns; classtype:trojan-activity; sid:1000075; rev:1; )
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement