Rule History

alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE Tofsee DGA (2016-12-15 to 2017-05-04)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|07|dq"; fast_pattern; distance:0; pcre:"/^(?:gdqg|hdqh|idqi|jdqj|kdqk|ldql|mdqm|ndqn|odqo|pdqp|qdqq|rdqr|sdqs|tdqt|udqu|vdqv|wdqw|xdqx|ydqy|zdqz)[a-j](?:\x02ch|\x03biz)/R"; threshold: type both, track by_src, count 10, seconds 60; classtype:trojan-activity; sid:2023677; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_22, deployment Perimeter, malware_family Spambot, malware_family Tofse, confidence Medium, signature_severity Major, updated_at 2019_08_29;)