Rule History

alert dns $HOME_NET any -> any any (msg:"ET MALWARE DarkIRC Bot CnC Domain Lookup"; dns.query; content:"cnc."; startswith; fast_pattern; content:".xyz"; endswith; bsize:22; pcre:"/^cnc\.[a-fA-F0-9]{14}.xyz$/"; reference:url,blogs.juniper.net/en-us/threat-research/darkirc-bot-exploits-oracle-weblogic-vulnerability; classtype:command-and-control; sid:2031260; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_04, deployment Perimeter, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_12_04;)