Rule History

SID: 2018316 • Source: et/open

Versions (5)

Version DetailsCurrent

Rev: 5 • Mar 25, 2014, 12:00 PM

Message:

ET INFO Possible Zeus GameOver/FluBot Related DGA Pattern

Rule:

alert udp any 53 -> $HOME_NET any (msg:"ET INFO Possible Zeus GameOver/FluBot Related DGA Pattern"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; pcre:"/^..[\x0d-\x20][a-z]{13,32}(?:\x03(?:biz|com|net|org)|\x04info|\x02ru)\x00\x00\x01\x00\x01/Rs"; threshold: type both, track by_dst, count 12, seconds 120; reference:url,vrt-blog.snort.org/2014/03/decoding-domain-generation-algorithms.html; classtype:misc-activity; sid:2018316; rev:5; metadata:created_at 2014_03_25, deprecation_reason Relevance, former_category MALWARE, confidence Medium, signature_severity Major, updated_at 2025_04_10;)

Created:

Mar 25, 2014, 12:00 PM

Updated:

Apr 10, 2025, 12:00 PM

DB Created:

Sep 21, 2024, 3:00 AM

DB Updated:

May 30, 2025, 12:04 AM

Filename:

rules/emerging-info.rules