Versions (4)
Version DetailsCurrent
Rev: 4 • Jul 27, 2012, 12:00 PMET MALWARE DNS Query to RunForestRun DGA Domain 16-alpha.waw.pl
alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE DNS Query to RunForestRun DGA Domain 16-alpha.waw.pl"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|"; distance:0; content:"|03|waw|02|pl|00|"; fast_pattern; within:24; nocase; pcre:"/\x10[abedgfihkmlonqpsruwvyxz]{16}\x03waw\x02pl\x00/i"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015531; rev:4; metadata:created_at 2012_07_27, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)
Jul 27, 2012, 12:00 PM
Jul 26, 2019, 12:00 PM
Sep 21, 2024, 3:00 AM
Oct 13, 2025, 9:34 PM
rules/emerging-malware.rules