-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathemerging-dns.rules
208 lines (122 loc) · 30 KB
/
emerging-dns.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
# Emerging Threats
#
# This distribution may contain rules under two different licenses.
#
# Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
# A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
#
# Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License
# as follows:
#
#*************************************************************
# Copyright (c) 2003-2019, Emerging Threats
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************
#
#
#
#
# This Ruleset is EmergingThreats Open optimized for suricata-4.0-enhanced.
#alert udp any 53 -> $DNS_SERVERS any (msg:"ET DNS Excessive DNS Responses with 1 or more RR's (100+ in 10 seconds) - possible Cache Poisoning Attempt"; byte_test:2,>,0,6; byte_test:2,>,0,10; threshold: type both, track by_src, count 100, seconds 10; reference:url,doc.emergingthreats.net/bin/view/Main/2008446; classtype:bad-unknown; sid:2008446; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any 53 -> $HOME_NET any (msg:"ET DNS Query Responses with 3 RR's set (50+ in 2 seconds) - possible A RR Cache Poisoning Attempt"; content: "|81 80 00 01 00 01 00 01|"; offset: 2; depth:8; threshold: type both, track by_src, count 50, seconds 2; reference:url,infosec20.blogspot.com/2008/07/kaminsky-dns-cache-poisoning-poc.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008475; classtype:bad-unknown; sid:2008475; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any 53 -> $HOME_NET any (msg:"ET DNS Query Responses with 3 RR's set (50+ in 2 seconds) - possible NS RR Cache Poisoning Attempt"; content: "|85 00 00 01 00 01 00 01|"; offset: 2; depth:8; threshold: type both, track by_src,count 50, seconds 2; reference:url,infosec20.blogspot.com/2008/07/kaminsky-dns-cache-poisoning-poc.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008447; classtype:bad-unknown; sid:2008447; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS zone transfer UDP"; content:"|00 00 FC|"; offset:14; reference:cve,1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:2101948; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named version attempt"; content:"|07|version"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:nessus,10028; classtype:attempted-recon; sid:2101616; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named iquery attempt"; content:"|09 80 00 00 00 01 00 00 00 00|"; depth:16; offset:2; reference:bugtraq,134; reference:cve,1999-0009; reference:url,www.rfc-editor.org/rfc/rfc1035.txt; classtype:attempted-recon; sid:2100252; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named authors attempt"; content:"|07|authors"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:nessus,10728; classtype:attempted-recon; sid:2100256; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS UDP inverse query overflow"; byte_test:1,<,16,2; byte_test:1,&,8,2; isdataat:400; reference:bugtraq,134; reference:cve,1999-0009; classtype:attempted-admin; sid:2103154; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert udp $DNS_SERVERS 53 -> any any (msg:"ET DNS Standard query response, Format error"; pcre:"/^..[\x81\x82\x83\x84\x85\x86\x87]\x81/"; reference:url,doc.emergingthreats.net/2001116; classtype:not-suspicious; sid:2001116; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp $DNS_SERVERS 53 -> any any (msg:"ET DNS Standard query response, Name Error"; pcre:"/^..[\x81\x82\x83\x84\x85\x86\x87]\x83/"; reference:url,doc.emergingthreats.net/2001117; classtype:not-suspicious; sid:2001117; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp $DNS_SERVERS 53 -> any any (msg:"ET DNS Standard query response, Not Implemented"; pcre:"/^..[\x81\x82\x83\x84\x85\x86\x87]\x84/"; reference:url,doc.emergingthreats.net/2001118; classtype:not-suspicious; sid:2001118; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp $DNS_SERVERS 53 -> any any (msg:"ET DNS Standard query response, Refused"; pcre:"/^..[\x81\x82\x83\x84\x85\x86\x87]\x85/"; reference:url,doc.emergingthreats.net/2001119; classtype:not-suspicious; sid:2001119; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any 53 -> $HOME_NET any (msg:"ET DNS Excessive NXDOMAIN responses - Possible DNS Backscatter or Domain Generation Algorithm Lookups"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; threshold: type both, track by_src, count 50, seconds 10; reference:url,doc.emergingthreats.net/bin/view/Main/2008470; classtype:bad-unknown; sid:2008470; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named version attempt"; flow:to_server,established; content:"|07|version"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:arachnids,278; reference:nessus,10028; classtype:attempted-recon; sid:2100257; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS TCP inverse query overflow"; flow:to_server,established; byte_test:1,<,16,4; byte_test:1,&,8,4; isdataat:400; reference:bugtraq,134; reference:cve,1999-0009; classtype:attempted-admin; sid:2103153; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS zone transfer TCP"; flow:to_server,established; content:"|00 00 FC|"; offset:15; reference:arachnids,212; reference:cve,1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:2100255; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"GPL DNS SPOOF query response PTR with TTL of 1 min. and no authority"; content:"|85 80 00 01 00 01 00 00 00 00|"; content:"|C0 0C 00 0C 00 01 00 00 00|<|00 0F|"; classtype:bad-unknown; sid:2100253; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named authors attempt"; flow:to_server,established; content:"|07|authors"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:arachnids,480; reference:nessus,10728; classtype:attempted-recon; sid:2101435; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named overflow attempt"; flow:to_server,established; content:"|CD 80 E8 D7 FF FF FF|/bin/sh"; reference:url,www.cert.org/advisories/CA-1998-05.html; classtype:attempted-admin; sid:2100261; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named overflow ADM"; flow:to_server,established; content:"thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanywaywhocareshorizongotitworkingsoalliscool"; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:2100259; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"GPL DNS SPOOF query response with TTL of 1 min. and no authority"; content:"|81 80 00 01 00 01 00 00 00 00|"; content:"|C0 0C 00 01 00 01 00 00 00|<|00 04|"; classtype:bad-unknown; sid:2100254; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS EXPLOIT named 8.2->8.2.1"; flow:to_server,established; content:"../../../"; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:2100258; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Suspicious .com.ru Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|com|02|ru|00|"; fast_pattern; nocase; distance:0; metadata: former_category HUNTING; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011407; rev:3; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Suspicious .com.cn Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|com|02|cn|00|"; fast_pattern; nocase; distance:0; metadata: former_category HUNTING; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011408; rev:3; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Suspicious .co.kr Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|co|02|kr|00|"; fast_pattern; nocase; distance:0; metadata: former_category HUNTING; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011411; rev:3; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - sinkhole.cert.pl 148.81.111.111"; content:"|00 01 00 01|"; content:"|00 04 94 51 6f 6f|"; distance:4; within:6; classtype:trojan-activity; sid:2016413; rev:4; metadata:created_at 2013_02_14, updated_at 2013_02_14;)
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - Georgia Tech (2)"; content:"|00 01 00 01|"; content:"|00 04 32 3e 0c 67|"; distance:4; within:6; reference:url,virustracker.info; classtype:trojan-activity; sid:2016423; rev:6; metadata:created_at 2013_02_16, updated_at 2013_02_16;)
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - Georgia Tech (1)"; content:"|00 01 00 01|"; content:"|00 04 c6 3d e3 06|"; distance:4; within:6; reference:url,virustracker.info; classtype:trojan-activity; sid:2016422; rev:5; metadata:created_at 2013_02_16, updated_at 2013_02_16;)
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - 1and1 Internet AG"; content:"|00 01 00 01|"; content:"|00 04 52 a5 19 d2|"; distance:4; within:6; reference:url,virustracker.info; classtype:trojan-activity; sid:2016421; rev:5; metadata:created_at 2013_02_16, updated_at 2013_02_16;)
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - German Company"; content:"|00 01 00 01|"; content:"|00 04 52 a5 19 a7|"; distance:4; within:6; reference:url,virustracker.info; classtype:trojan-activity; sid:2016420; rev:5; metadata:created_at 2013_02_16, updated_at 2013_02_16;)
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - Zinkhole.org"; content:"|00 01 00 01|"; content:"|00 04 b0 1f 3e 4c|"; distance:4; within:6; classtype:trojan-activity; sid:2016419; rev:5; metadata:created_at 2013_02_16, updated_at 2013_02_16;)
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - Dr. Web"; content:"|00 01 00 01|"; content:"|00 04 5b e9 f4 6a|"; distance:4; within:6; reference:url,virustracker.info; classtype:trojan-activity; sid:2016418; rev:5; metadata:created_at 2013_02_16, updated_at 2013_02_16;)
alert udp any 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole FBI Zeus P2P 1 - 142.0.36.234"; content:"|00 01 00 01|"; content:"|00 04 8e 00 24 ea|"; distance:4; within:6; classtype:trojan-activity; sid:2018517; rev:1; metadata:created_at 2014_06_03, updated_at 2014_06_03;)
alert udp any 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - 106.187.96.49 blacklistthisdomain.com"; content:"|00 01 00 01|"; content:"|00 04 6a bb 60 31|"; distance:4; within:6; classtype:trojan-activity; sid:2016591; rev:6; metadata:created_at 2013_03_18, updated_at 2013_03_18;)
alert udp any 53 -> $DNS_SERVERS any (msg:"ET DNS Excessive DNS Responses with 1 or more RR's (100+ in 10 seconds) to google.com.br possible Cache Poisoning Attempt"; byte_test:2,>,0,6; byte_test:2,>,0,10; threshold: type both, track by_src, count 100, seconds 10; content:"|06|google|03|com|02|br|00|"; reference:url,www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil; reference:url,www.zdnet.com/blog/security/massive-dns-poisoning-attack-in-brazil-serving-exploits-and-malware/9780; classtype:bad-unknown; sid:2013894; rev:5; metadata:created_at 2011_11_10, updated_at 2011_11_10;)
alert udp $HOME_NET !9987 -> $EXTERNAL_NET 53 (msg:"ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 6 or 7 set"; content:!"7PYqwfzt"; depth:8; byte_test:1,!&,64,2; byte_test:1,&,32,2; byte_test:1,&,16,2; threshold: type limit, count 1, seconds 120, track by_dst; reference:md5,a56ec0f9bd46f921f65e4f6e598e5ed0; reference:url,vrt-blog.snort.org/2008/08/checking-multiple-bits-in-flag-field_29.html; classtype:policy-violation; sid:2014701; rev:12; metadata:created_at 2012_05_03, updated_at 2016_07_12;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set"; content:!"7PYqwfzt"; depth:8; byte_test:1,&,64,2; threshold: type limit, count 1, seconds 120, track by_dst; reference:md5,a56ec0f9bd46f921f65e4f6e598e5ed0; reference:url,vrt-blog.snort.org/2008/08/checking-multiple-bits-in-flag-field_29.html; classtype:policy-violation; sid:2014702; rev:9; metadata:created_at 2012_05_03, updated_at 2016_07_12;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Reserved Bit Set"; content:!"7PYqwfzt"; depth:8; byte_test:1,&,64,3; threshold: type limit, count 1, seconds 120, track by_dst; reference:md5,a56ec0f9bd46f921f65e4f6e598e5ed0; reference:url,vrt-blog.snort.org/2008/08/checking-multiple-bits-in-flag-field_29.html; classtype:policy-violation; sid:2014703; rev:9; metadata:created_at 2012_05_03, updated_at 2016_07_12;)
alert dns $HOME_NET any -> any any (msg:"ET DNS Query to a *.pw domain - Likely Hostile"; dns_query; content:".pw"; nocase; isdataat:!1,relative; content:!".u.pw"; isdataat:!1,relative; nocase; classtype:bad-unknown; sid:2016778; rev:5; metadata:created_at 2013_04_19, updated_at 2019_09_28;)
alert dns $HOME_NET any -> any any (msg:"ET DNS Query for .su TLD (Soviet Union) Often Malware Related"; dns_query; content:".su"; nocase; isdataat:!1,relative; reference:url,www.abuse.ch/?p=3581; classtype:bad-unknown; sid:2014169; rev:2; metadata:created_at 2012_01_31, updated_at 2019_09_28;)
alert dns $HOME_NET any -> any any (msg:"ET DNS Query to a *.top domain - Likely Hostile"; dns_query; content:".top"; nocase; isdataat:!1,relative; threshold:type limit, track by_src, count 1, seconds 30; reference:url,www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2023883; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_07, updated_at 2019_09_28;)
alert dns $HOME_NET any -> any any (msg:"ET DNS DNS Query for Suspicious .cz.cc Domain"; dns_query; content:".cz.cc"; isdataat:!1,relative; nocase; metadata: former_category HUNTING; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011410; rev:4; metadata:created_at 2010_09_27, updated_at 2019_09_28;)
alert dns $HOME_NET any -> any any (msg:"ET DNS DNS Query for a Suspicious *.cu.cc domain"; dns_query; content:".cu.cc"; nocase; isdataat:!1,relative; metadata: former_category HUNTING; classtype:bad-unknown; sid:2013172; rev:3; metadata:created_at 2011_07_02, updated_at 2019_09_28;)
alert dns $HOME_NET any -> any any (msg:"ET DNS DNS Query for a Suspicious *.co.tv domain"; dns_query; content:".co.tv"; nocase; isdataat:!1,relative; metadata: former_category HUNTING; classtype:bad-unknown; sid:2012956; rev:4; metadata:created_at 2011_06_08, updated_at 2019_09_28;)
alert dns $HOME_NET any -> any any (msg:"ET DNS Query for Suspicious .gr.com Domain (gr .com in DNS Lookup)"; dns_query; content:".gr.com"; isdataat:!1,relative; metadata: former_category HUNTING; reference:url,www.domain.gr.com; classtype:bad-unknown; sid:2025146; rev:3; metadata:created_at 2017_12_12, updated_at 2019_09_28;)
alert dns $HOME_NET any -> any any (msg:"ET DNS Query for Suspicious shell .now .sh Domain"; dns_query; content:"shell.now.sh"; nocase; isdataat:!1,relative; metadata: former_category HUNTING; reference:url,www.lacework.com/blog-attacks-exploiting-confluence; classtype:misc-attack; sid:2027367; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2019_05_18, performance_impact Low, updated_at 2019_09_28;)
#alert udp $HOME_NET any -> any 53 (msg:"ET DNS Query for .co TLD"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|02|co|00|"; distance:0; fast_pattern; metadata: former_category DNS; classtype:bad-unknown; sid:2027759; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2019_07_26, updated_at 2019_07_26;)
alert udp $HOME_NET any -> any 53 (msg:"ET DNS Hiloti DNS CnC Channel Successful Install Message"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|05|empty"; nocase; distance:0; content:"|0C|explorer_exe"; nocase; distance:0; metadata: former_category DNS; reference:url,sign.kaffenews.com/?p=104; reference:url,blog.fortinet.com/hiloti-the-botmaster-of-disguise/; classtype:bad-unknown; sid:2011911; rev:3; metadata:created_at 2010_11_09, updated_at 2019_08_29;)
alert udp $HOME_NET any -> any 53 (msg:"ET DNS DNS Query for a Suspicious Malware Related Numerical .in Domain"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|02|in|00|"; fast_pattern; nocase; distance:0; pcre:"/\x00[0-9]{4,7}\x02in\x00/i"; metadata: former_category HUNTING; reference:url,sign.kaffenews.com/?p=104; reference:url,www.isc.sans.org/diary.html?storyid=10165; classtype:bad-unknown; sid:2012115; rev:7; metadata:created_at 2010_12_30, updated_at 2019_08_29;)
alert dns $HOME_NET any -> any any (msg:"ET DNS DNS Query for a Suspicious *.ae.am domain"; dns_query; content:".ae.am"; fast_pattern; isdataat:!1,relative; metadata: former_category HUNTING; classtype:bad-unknown; sid:2012900; rev:5; metadata:created_at 2011_05_31, updated_at 2019_09_28;)
alert dns $HOME_NET any -> any any (msg:"ET DNS DNS Query for a Suspicious *.qc.cx domain"; dns_query; content:".qc.cx"; fast_pattern; isdataat:!1,relative; metadata: former_category HUNTING; classtype:bad-unknown; sid:2012903; rev:5; metadata:created_at 2011_05_31, updated_at 2019_09_28;)
alert dns $HOME_NET any -> any any (msg:"ET DNS Query to a .tk domain - Likely Hostile"; dns_query; content:".tk"; fast_pattern; nocase; isdataat:!1,relative; content:!"www.google.tk"; metadata: former_category DNS; classtype:bad-unknown; sid:2012811; rev:5; metadata:created_at 2011_05_15, updated_at 2019_09_28;)
alert dns $HOME_NET any -> any any (msg:"ET DNS Query for .to TLD"; dns_query; content:".to"; isdataat:!1,relative; fast_pattern; metadata: former_category DNS; classtype:bad-unknown; sid:2027757; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2019_07_26, updated_at 2019_09_28;)
alert dns $HOME_NET any -> any any (msg:"ET DNS Query for .cc TLD"; dns_query; content:".cc"; isdataat:!1,relative; fast_pattern; metadata: former_category DNS; classtype:bad-unknown; sid:2027758; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2019_07_26, updated_at 2019_09_28;)
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"ET DNS DNS Lookup for localhost.DOMAIN.TLD"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|09|localhost"; fast_pattern; nocase; classtype:bad-unknown; sid:2011802; rev:5; metadata:created_at 2010_10_12, updated_at 2019_09_03;)
alert dns $HOME_NET any -> any any (msg:"ET DNS DNS Query to a Suspicious *.vv.cc domain"; dns_query; content:".vv.cc"; fast_pattern; nocase; isdataat:!1,relative; metadata: former_category HUNTING; classtype:bad-unknown; sid:2012826; rev:3; metadata:created_at 2011_05_19, updated_at 2019_09_28;)
alert dns $HOME_NET any -> any any (msg:"ET DNS Query for a Suspicious *.noc.su domain"; dns_query; content:".noc.su"; fast_pattern; metadata: former_category HUNTING; classtype:bad-unknown; sid:2012901; rev:4; metadata:created_at 2011_05_31, updated_at 2019_09_03;)
alert dns $HOME_NET any -> any any (msg:"ET DNS DNS Query for Suspicious .co.be Domain"; dns_query; content:".co.be"; fast_pattern; nocase; isdataat:!1,relative; metadata: former_category HUNTING; classtype:bad-unknown; sid:2013124; rev:5; metadata:created_at 2011_06_28, updated_at 2019_09_28;)
alert dns $HOME_NET any -> any any (msg:"ET DNS DNS Query for Illegal Drug Sales Site (SilkRoad)"; dns_query; content:"ianxz6zefk72ulzz.onion"; depth:22; classtype:policy-violation; sid:2013016; rev:4; metadata:created_at 2011_06_13, updated_at 2019_09_03;)
alert dns $HOME_NET any -> any any (msg:"ET DNS Query for Suspicious .net.tf Domain"; dns_query; content:".net.tf"; fast_pattern; nocase; isdataat:!1,relative; metadata: former_category HUNTING; classtype:bad-unknown; sid:2013847; rev:3; metadata:created_at 2011_11_07, updated_at 2019_09_28;)
alert dns $HOME_NET any -> any any (msg:"ET DNS Query for Suspicious .eu.tf Domain"; dns_query; content:".eu.tf"; fast_pattern; nocase; isdataat:!1,relative; metadata: former_category HUNTING; classtype:bad-unknown; sid:2013848; rev:3; metadata:created_at 2011_11_07, updated_at 2019_09_28;)
alert dns $HOME_NET any -> any any (msg:"ET DNS Query for Suspicious .int.tf Domain"; dns_query; content:".int.tf"; fast_pattern; nocase; isdataat:!1,relative; metadata: former_category HUNTING; classtype:bad-unknown; sid:2013849; rev:3; metadata:created_at 2011_11_07, updated_at 2019_09_28;)
alert dns $HOME_NET any -> any any (msg:"ET DNS Query for Suspicious .edu.tf Domain"; dns_query; content:".edu.tf"; fast_pattern; nocase; isdataat:!1,relative; metadata: former_category HUNTING; classtype:bad-unknown; sid:2013850; rev:3; metadata:created_at 2011_11_07, updated_at 2019_09_28;)
alert dns $HOME_NET any -> any any (msg:"ET DNS Query for Suspicious .us.tf Domain"; dns_query; content:".us.tf"; fast_pattern; nocase; isdataat:!1,relative; metadata: former_category HUNTING; classtype:bad-unknown; sid:2013851; rev:3; metadata:created_at 2011_11_07, updated_at 2019_09_28;)
alert dns $HOME_NET any -> any any (msg:"ET DNS Query for Suspicious .ca.tf Domain"; dns_query; content:".ca.tf"; fast_pattern; nocase; isdataat:!1,relative; metadata: former_category HUNTING; classtype:bad-unknown; sid:2013852; rev:3; metadata:created_at 2011_11_07, updated_at 2019_09_28;)
alert dns $HOME_NET any -> any any (msg:"ET DNS Query for Suspicious .bg.tf Domain"; dns_query; content:".bg.tf"; fast_pattern; nocase; isdataat:!1,relative; metadata: former_category HUNTING; classtype:bad-unknown; sid:2013853; rev:3; metadata:created_at 2011_11_07, updated_at 2019_09_28;)
alert dns $HOME_NET any -> any any (msg:"ET DNS Query for Suspicious .ru.tf Domain"; dns_query; content:".ru.tf"; fast_pattern; nocase; isdataat:!1,relative; metadata: former_category HUNTING; classtype:bad-unknown; sid:2013854; rev:3; metadata:created_at 2011_11_07, updated_at 2019_09_28;)
alert dns $HOME_NET any -> any any (msg:"ET DNS Query for Suspicious .pl.tf Domain"; dns_query; content:".pl.tf"; fast_pattern; nocase; isdataat:!1,relative; metadata: former_category HUNTING; classtype:bad-unknown; sid:2013855; rev:3; metadata:created_at 2011_11_07, updated_at 2019_09_28;)
alert dns $HOME_NET any -> any any (msg:"ET DNS Query for Suspicious .cz.tf Domain"; dns_query; content:".cz.tf"; fast_pattern; nocase; isdataat:!1,relative; metadata: former_category HUNTING; classtype:bad-unknown; sid:2013856; rev:3; metadata:created_at 2011_11_07, updated_at 2019_09_28;)
alert dns $HOME_NET any -> any any (msg:"ET DNS Query for Suspicious .de.tf Domain"; dns_query; content:".de.tf"; fast_pattern; nocase; isdataat:!1,relative; metadata: former_category HUNTING; classtype:bad-unknown; sid:2013857; rev:3; metadata:created_at 2011_11_07, updated_at 2019_09_28;)
alert dns $HOME_NET any -> any any (msg:"ET DNS Query for Suspicious .at.tf Domain"; dns_query; content:".at.tf"; fast_pattern; nocase; isdataat:!1,relative; metadata: former_category HUNTING; classtype:bad-unknown; sid:2013858; rev:3; metadata:created_at 2011_11_07, updated_at 2019_09_28;)
alert dns $HOME_NET any -> any any (msg:"ET DNS Query for Suspicious .ch.tf Domain"; dns_query; content:".ch.tf"; fast_pattern; nocase; isdataat:!1,relative; metadata: former_category HUNTING; classtype:bad-unknown; sid:2013859; rev:3; metadata:created_at 2011_11_07, updated_at 2019_09_28;)
alert dns $HOME_NET any -> any any (msg:"ET DNS Query for Suspicious .sg.tf Domain"; dns_query; content:".sg.tf"; fast_pattern; nocase; isdataat:!1,relative; metadata: former_category HUNTING; classtype:bad-unknown; sid:2013860; rev:3; metadata:created_at 2011_11_07, updated_at 2019_09_28;)
alert dns $HOME_NET any -> any any (msg:"ET DNS Query for Suspicious .nl.ai Domain"; dns_query; content:".nl.ai"; fast_pattern; nocase; isdataat:!1,relative; metadata: former_category HUNTING; classtype:bad-unknown; sid:2013861; rev:3; metadata:created_at 2011_11_07, updated_at 2019_09_28;)
alert dns $HOME_NET any -> any any (msg:"ET DNS Query for Suspicious .xe.cx Domain"; dns_query; content:".xe.cx"; fast_pattern; nocase; isdataat:!1,relative; metadata: former_category HUNTING; classtype:bad-unknown; sid:2013862; rev:3; metadata:created_at 2011_11_07, updated_at 2019_09_28;)
alert dns $HOME_NET any -> any any (msg:"ET DNS Query for Suspicious .noip.cn Domain"; dns_query; content:".noip.cn"; fast_pattern; nocase; isdataat:!1,relative; metadata: former_category HUNTING; classtype:bad-unknown; sid:2013970; rev:3; metadata:created_at 2011_11_28, updated_at 2019_09_28;)
alert dns $HOME_NET any -> any any (msg:"ET DNS DNS Query for Suspicious .ch.vu Domain"; dns_query; content:".ch.vu"; fast_pattern; nocase; isdataat:!1,relative; metadata: former_category HUNTING; reference:url,google.com/safebrowsing/diagnostic?site=ch.vu; classtype:bad-unknown; sid:2014285; rev:6; metadata:created_at 2012_02_27, updated_at 2019_09_28;)
alert dns $HOME_NET any -> any any (msg:"ET DNS DNS Query for a Suspicious *.be.ma domain"; dns_query; content:".be.ma"; fast_pattern; isdataat:!1,relative; metadata: former_category HUNTING; classtype:bad-unknown; sid:2012902; rev:5; metadata:created_at 2011_05_31, updated_at 2019_09_28;)
alert dns $HOME_NET any -> any any (msg:"ET DNS Query for a Suspicious *.upas.su domain"; dns_query; content:".upas.su"; fast_pattern; nocase; isdataat:!1,relative; metadata: former_category HUNTING; classtype:bad-unknown; sid:2015550; rev:3; metadata:created_at 2012_07_31, updated_at 2019_09_28;)
alert dns $HOME_NET any -> any any (msg:"ET DNS DNS Query for Suspicious .co.cc Domain"; dns_query; content:".co.cc"; fast_pattern; nocase; isdataat:!1,relative; metadata: former_category HUNTING; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011409; rev:5; metadata:created_at 2010_09_27, updated_at 2019_09_28;)
alert dns $HOME_NET any -> any any (msg:"ET DNS DNS Query for vpnoverdns - indicates DNS tunnelling"; dns_query; content:"tun.vpnoverdns.com"; depth:18; fast_pattern; nocase; isdataat:!1,relative; reference:url,osint.bambenekconsulting.com/manual/vpnoverdns.txt; classtype:bad-unknown; sid:2018438; rev:4; metadata:created_at 2014_05_01, updated_at 2019_09_28;)
alert udp $HOME_NET any -> any 53 (msg:"ET DNS APT_NGO_wuaclt C2 Domain micorsofts.net"; content:"|0a|micorsofts|03|net|00|"; nocase; fast_pattern; threshold: type limit, track by_src, count 1, seconds 300; metadata: former_category DNS; reference:url,labs.alienvault.com; classtype:bad-unknown; sid:2016569; rev:4; metadata:created_at 2013_03_13, updated_at 2019_10_07;)
alert udp $HOME_NET any -> any 53 (msg:"ET DNS APT_NGO_wuaclt C2 Domain hotmal1.com"; content:"|07|hotmal1|03|com|00|"; nocase; fast_pattern; threshold: type limit, track by_src, count 1, seconds 300; metadata: former_category DNS; reference:url,labs.alienvault.com; classtype:bad-unknown; sid:2016571; rev:2; metadata:created_at 2013_03_13, updated_at 2019_10_07;)
alert udp $HOME_NET any -> any 53 (msg:"ET DNS APT_NGO_wuaclt C2 Domain micorsofts.com"; content:"|0a|micorsofts|03|com|00|"; nocase; fast_pattern; threshold: type limit, track by_src, count 1, seconds 300; metadata: former_category DNS; reference:url,labs.alienvault.com; classtype:bad-unknown; sid:2016570; rev:3; metadata:created_at 2013_03_13, updated_at 2019_10_07;)