[Snort-sigs] BOTNET-CNC Possible host infection - excessive DNS queries for .eu

Yew Chuan Ong yewchuan88 at ...2420...
Sun Mar 11 08:00:09 EDT 2012


Hi,

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BOTNET-CNC Possible host
infection - excessive DNS queries for .eu"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|02|eu|00|"; fast_pattern:only;
detection_filter:track by_src, count 100, seconds 10;
classtype:trojan-activity; sid:21544; rev:1;)

This is the new sig posted on VRT blog recently which aimed to find out
malware within the network. I am wondering why we need to specific on the
keyword ".eu". Can we tracked the related traffic by using only the
threshold?

Also, are we aiming on any specific malware besides Murofet and Kazy? I try
to google around but can't really get it. Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120311/1eb5b538/attachment.html>


More information about the Snort-sigs mailing list