Rule History

SID: 2019692 • Source: et/open

Versions (4)

Version DetailsCurrent

Rev: 1 • Nov 12, 2014, 12:00 PM

Message:

ET MALWARE Possible Emotet DGA NXDOMAIN Responses

Rule:

alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Emotet DGA NXDOMAIN Responses"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|eu|00|"; distance:19; within:4; fast_pattern; content:"|10|"; distance:-21; within:1; pcre:"/^[a-z]{16}/R"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,3083b68cb5c2a345972a5f79e735c7b9; classtype:trojan-activity; sid:2019692; rev:1; metadata:created_at 2014_11_12, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)

Created:

Nov 12, 2014, 12:00 PM

Updated:

Jul 26, 2019, 12:00 PM

DB Created:

Sep 21, 2024, 3:00 AM

DB Updated:

Oct 6, 2025, 4:34 PM

Filename:

rules/emerging-malware.rules