SUSPICIOUS [PTsecurity] Possible DecoyDog DNS Tunneling

SID: 10010053Rev: 328 views
History
Sourceptrules/open
CreatedSeptember 25, 2025
UpdatedSeptember 25, 2025
Classificationmisc-activity
alert dns any any -> any 53 (msg:"SUSPICIOUS [PTsecurity] Possible DecoyDog DNS Tunneling"; flow:to_server; dsize:>80; content:"|00 01 00 00 00 00 00 00|"; offset:4; depth:8; content:"|20|"; distance:0; pcre:"/\x20[a-z0-9]{32}(\x18[a-z0-9]{24}|\x10[a-z0-9]{16}|\x28[a-z0-9]{40})[\x03-\x3f][a-z0-9]/"; threshold:type threshold, track by_dst, count 2, seconds 125; reference:url, https://insights.infoblox.com/resources-whitepaper/infoblox-whitepaper-decoy-dog-is-no-ordinary-pupy-distinguishing-malware-via-dns; reference:url, rules.ptsecurity.com; classtype:misc-activity; sid:10010053; rev:3;)

References

urlhttps://insights.infoblox.com/resources-whitepaper/infoblox-whitepaper-decoy-dog-is-no-ordinary-pupy-distinguishing-malware-via-dns
urlrules.ptsecurity.com

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!