alert dns $HOME_NET any -> any any (msg:"ET MALWARE Pupy DNS Request with SPI M3"; dns.query; bsize:>42; content:"9."; offset:7; depth:2; content:"999."; fast_pattern; distance:26; within:31; content:"9."; within:57; pcre:"/^[a-z0-8\-]{7}9\.(?:[a-z0-8\-]{8}){3,7}[a-z0-8\-]{5}9{3}\.(?:[a-z0-8\-]{8}){1,7}(?:[a-z0-8\-]{2}9{6}|[a-z0-8\-]{4}9{4}|[a-z0-8\-]{5}9{3}|[a-z0-8\-]{7}9)?\./"; reference:url,insights.infoblox.com/resources-whitepaper/infoblox-whitepaper-decoy-dog-is-no-ordinary-pupy-distinguishing-malware-via-dns; classtype:command-and-control; sid:2046960; rev:1; metadata:attack_target Client_Endpoint, created_at 2023_07_31, deployment Perimeter, deployment Internal, malware_family PupyRat, performance_impact Moderate, confidence Medium, signature_severity Critical, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_07_31; target:src_ip;)