Rule History

alert dns any any -> any 53 (msg: "SUSPICIOUS [PTsecurity] Possible DecoyDog DNS Tunneling"; flow: to_server; dsize: >80; content: "|00 01 00 00 00 00 00 00|"; offset: 4; depth: 8; content: "|20|"; distance: 0; pcre: "/\x20[a-z0-9]{32}(\x18[a-z0-9]{24}|\x10[a-z0-9]{16}|\x28[a-z0-9]{40})[\x03-\x3f][a-z0-9]/"; threshold: type threshold, track by_dst, count 2, seconds 125; reference: url, https://insights.infoblox.com/resources-whitepaper/infoblox-whitepaper-decoy-dog-is-no-ordinary-pupy-distinguishing-malware-via-dns; reference: url, rules.ptsecurity.com; classtype: misc-activity; sid: 10010053; rev: 3;)