Rule History

alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Dyre DGA NXDOMAIN Responses (.so)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|so|00|"; distance:37; within:4; fast_pattern; content:"|22|"; distance:-39; within:1; pcre:"/^[a-z][a-f0-9]{33}/Ri"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,c5d2a2287424ab9508ae15261020e48d; classtype:trojan-activity; sid:2019889; rev:1; metadata:created_at 2014_12_08, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)