alert dns any any -> $HOME_NET any (msg:"ET HUNTING curl in DNS TXT Response"; content:"|00 01 00 01 00 00 00 00|"; offset:4; depth:8; content:"|00 10|"; distance:0; content:"curl|20|"; fast_pattern; distance:0; reference:url,www.malware-traffic-analysis.net/2023/12/07/index.html; reference:url,x.com/unit42_intel/status/1732857094167023618; classtype:bad-unknown; sid:2049647; rev:1; metadata:attack_target Client_and_Server, created_at 2023_12_12, deployment Perimeter, deployment Internal, performance_impact Low, confidence Medium, signature_severity Informational, updated_at 2023_12_12; target:dest_ip;)