Versions (3)
Version DetailsCurrent
Rev: 2 • Apr 22, 2020, 12:00 PMET MALWARE Suspicious Long NULL DNS Request - Possible DNS Tunneling
alert dns $HOME_NET any -> any any (msg:"ET MALWARE Suspicious Long NULL DNS Request - Possible DNS Tunneling"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|00 0a 00 01|"; distance:70; fast_pattern; content:!"microsoft.com|03|"; classtype:trojan-activity; sid:2029995; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target DNS_Server, created_at 2020_04_22, deployment Perimeter, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_03_31;)
Apr 22, 2020, 12:00 PM
Mar 31, 2022, 12:00 PM
Sep 21, 2024, 3:00 AM
Sep 19, 2025, 10:35 PM
rules/emerging-malware.rules