[Emerging-Sigs] RBN-Blackhole evasion tactic
Jack Pepper
pepperjack at afferentsecurity.com
Fri Feb 15 14:15:45 EST 2008
FWIW, here are 271 rules that look for wildcard DNS rules. I just
enumeratred all the country codes and IANA TLDs to make this list.
I am going to try it out and see if I get lots of bogus hits, or maybe
... who knows.
Feel free to give them a try, see what we find.
If the attachment gets cut off for some reason, I put it on my website at:
http://www.autoshun.org/downloads/wildcard-dns.rules
Let me know if anyone has suggestions.
jp
--
Framework? I don't need no stinking framework!
----------------------------------------------------------------
@fferent Security Labs: Isolate/Insulate/Innovate
http://www.afferentsecurity.com
-------------- next part --------------
# Wildcard DNS rules by Jack Pepper pepperjack at autoshun.org
# just to see what happens ....
#
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .asia"; content:"|01|*"; distance: 2; within: 255; content: "|04|asia"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000901; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .biz"; content:"|01|*"; distance: 2; within: 255; content: "|03|biz"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000902; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .cat"; content:"|01|*"; distance: 2; within: 255; content: "|03|cat"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000903; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .com"; content:"|01|*"; distance: 2; within: 255; content: "|03|com"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000904; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .coop"; content:"|01|*"; distance: 2; within: 255; content: "|04|coop"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000905; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .info"; content:"|01|*"; distance: 2; within: 255; content: "|04|info"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000906; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .jobs"; content:"|01|*"; distance: 2; within: 255; content: "|04|jobs"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000907; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .mobi"; content:"|01|*"; distance: 2; within: 255; content: "|04|mobi"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000908; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .museum"; content:"|01|*"; distance: 2; within: 255; content: "|06|museum"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000909; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .name"; content:"|01|*"; distance: 2; within: 255; content: "|04|name"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000910; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .net"; content:"|01|*"; distance: 2; within: 255; content: "|03|net"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000911; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .org"; content:"|01|*"; distance: 2; within: 255; content: "|03|org"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000912; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .pro"; content:"|01|*"; distance: 2; within: 255; content: "|03|pro"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000913; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .tel"; content:"|01|*"; distance: 2; within: 255; content: "|03|tel"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000914; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .travel"; content:"|01|*"; distance: 2; within: 255; content: "|06|travel"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000915; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .gov"; content:"|01|*"; distance: 2; within: 255; content: "|03|gov"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000916; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .edu"; content:"|01|*"; distance: 2; within: 255; content: "|03|edu"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000917; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .mil"; content:"|01|*"; distance: 2; within: 255; content: "|03|mil"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000918; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .int"; content:"|01|*"; distance: 2; within: 255; content: "|03|int"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000919; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .ac"; content:"|01|*"; distance: 2; within: 255; content: "|02|ac"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000920; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .ad"; content:"|01|*"; distance: 2; within: 255; content: "|02|ad"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000921; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .ae"; content:"|01|*"; distance: 2; within: 255; content: "|02|ae"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000922; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .af"; content:"|01|*"; distance: 2; within: 255; content: "|02|af"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000923; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .ag"; content:"|01|*"; distance: 2; within: 255; content: "|02|ag"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000924; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .ai"; content:"|01|*"; distance: 2; within: 255; content: "|02|ai"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000925; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .al"; content:"|01|*"; distance: 2; within: 255; content: "|02|al"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000926; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .am"; content:"|01|*"; distance: 2; within: 255; content: "|02|am"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000927; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .an"; content:"|01|*"; distance: 2; within: 255; content: "|02|an"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000928; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .ao"; content:"|01|*"; distance: 2; within: 255; content: "|02|ao"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000929; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .aq"; content:"|01|*"; distance: 2; within: 255; content: "|02|aq"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000930; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .ar"; content:"|01|*"; distance: 2; within: 255; content: "|02|ar"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000931; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .as"; content:"|01|*"; distance: 2; within: 255; content: "|02|as"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000932; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .at"; content:"|01|*"; distance: 2; within: 255; content: "|02|at"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000933; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .au"; content:"|01|*"; distance: 2; within: 255; content: "|02|au"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000934; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .aw"; content:"|01|*"; distance: 2; within: 255; content: "|02|aw"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000935; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .ax"; content:"|01|*"; distance: 2; within: 255; content: "|02|ax"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000936; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .az"; content:"|01|*"; distance: 2; within: 255; content: "|02|az"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000937; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .ba"; content:"|01|*"; distance: 2; within: 255; content: "|02|ba"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000938; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .bb"; content:"|01|*"; distance: 2; within: 255; content: "|02|bb"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000939; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .bd"; content:"|01|*"; distance: 2; within: 255; content: "|02|bd"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000940; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .be"; content:"|01|*"; distance: 2; within: 255; content: "|02|be"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000941; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .bf"; content:"|01|*"; distance: 2; within: 255; content: "|02|bf"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000942; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .bg"; content:"|01|*"; distance: 2; within: 255; content: "|02|bg"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000943; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .bh"; content:"|01|*"; distance: 2; within: 255; content: "|02|bh"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000944; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .bi"; content:"|01|*"; distance: 2; within: 255; content: "|02|bi"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000945; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .bj"; content:"|01|*"; distance: 2; within: 255; content: "|02|bj"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000946; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .bl"; content:"|01|*"; distance: 2; within: 255; content: "|02|bl"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000947; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .bm"; content:"|01|*"; distance: 2; within: 255; content: "|02|bm"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000948; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .bn"; content:"|01|*"; distance: 2; within: 255; content: "|02|bn"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000949; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .bo"; content:"|01|*"; distance: 2; within: 255; content: "|02|bo"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000950; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .br"; content:"|01|*"; distance: 2; within: 255; content: "|02|br"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000951; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .bs"; content:"|01|*"; distance: 2; within: 255; content: "|02|bs"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000952; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .bt"; content:"|01|*"; distance: 2; within: 255; content: "|02|bt"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000953; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .bv"; content:"|01|*"; distance: 2; within: 255; content: "|02|bv"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000954; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .bw"; content:"|01|*"; distance: 2; within: 255; content: "|02|bw"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000955; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .by"; content:"|01|*"; distance: 2; within: 255; content: "|02|by"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000956; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .bz"; content:"|01|*"; distance: 2; within: 255; content: "|02|bz"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000957; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .ca"; content:"|01|*"; distance: 2; within: 255; content: "|02|ca"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000958; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .cc"; content:"|01|*"; distance: 2; within: 255; content: "|02|cc"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000959; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .cd"; content:"|01|*"; distance: 2; within: 255; content: "|02|cd"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000960; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .cf"; content:"|01|*"; distance: 2; within: 255; content: "|02|cf"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000961; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .cg"; content:"|01|*"; distance: 2; within: 255; content: "|02|cg"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000962; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .ch"; content:"|01|*"; distance: 2; within: 255; content: "|02|ch"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000963; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .ci"; content:"|01|*"; distance: 2; within: 255; content: "|02|ci"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000964; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .ck"; content:"|01|*"; distance: 2; within: 255; content: "|02|ck"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000965; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .cl"; content:"|01|*"; distance: 2; within: 255; content: "|02|cl"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000966; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .cm"; content:"|01|*"; distance: 2; within: 255; content: "|02|cm"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000967; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .cn"; content:"|01|*"; distance: 2; within: 255; content: "|02|cn"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000968; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .co"; content:"|01|*"; distance: 2; within: 255; content: "|02|co"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000969; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .cr"; content:"|01|*"; distance: 2; within: 255; content: "|02|cr"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000970; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .cu"; content:"|01|*"; distance: 2; within: 255; content: "|02|cu"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000971; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .cv"; content:"|01|*"; distance: 2; within: 255; content: "|02|cv"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000972; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .cx"; content:"|01|*"; distance: 2; within: 255; content: "|02|cx"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000973; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .cy"; content:"|01|*"; distance: 2; within: 255; content: "|02|cy"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000974; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .cz"; content:"|01|*"; distance: 2; within: 255; content: "|02|cz"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000975; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .de"; content:"|01|*"; distance: 2; within: 255; content: "|02|de"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000976; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .dj"; content:"|01|*"; distance: 2; within: 255; content: "|02|dj"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000977; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .dk"; content:"|01|*"; distance: 2; within: 255; content: "|02|dk"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000978; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .dm"; content:"|01|*"; distance: 2; within: 255; content: "|02|dm"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000979; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .do"; content:"|01|*"; distance: 2; within: 255; content: "|02|do"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000980; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .dz"; content:"|01|*"; distance: 2; within: 255; content: "|02|dz"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000981; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .ec"; content:"|01|*"; distance: 2; within: 255; content: "|02|ec"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000982; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .ee"; content:"|01|*"; distance: 2; within: 255; content: "|02|ee"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000983; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .eg"; content:"|01|*"; distance: 2; within: 255; content: "|02|eg"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000984; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .eh"; content:"|01|*"; distance: 2; within: 255; content: "|02|eh"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000985; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .er"; content:"|01|*"; distance: 2; within: 255; content: "|02|er"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000986; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .es"; content:"|01|*"; distance: 2; within: 255; content: "|02|es"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000987; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .et"; content:"|01|*"; distance: 2; within: 255; content: "|02|et"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000988; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .eu"; content:"|01|*"; distance: 2; within: 255; content: "|02|eu"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000989; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .fi"; content:"|01|*"; distance: 2; within: 255; content: "|02|fi"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000990; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .fj"; content:"|01|*"; distance: 2; within: 255; content: "|02|fj"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000991; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .fk"; content:"|01|*"; distance: 2; within: 255; content: "|02|fk"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000992; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .fm"; content:"|01|*"; distance: 2; within: 255; content: "|02|fm"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000993; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .fo"; content:"|01|*"; distance: 2; within: 255; content: "|02|fo"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000994; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .fr"; content:"|01|*"; distance: 2; within: 255; content: "|02|fr"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000995; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .ga"; content:"|01|*"; distance: 2; within: 255; content: "|02|ga"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000996; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .gb"; content:"|01|*"; distance: 2; within: 255; content: "|02|gb"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000997; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .gd"; content:"|01|*"; distance: 2; within: 255; content: "|02|gd"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000998; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .ge"; content:"|01|*"; distance: 2; within: 255; content: "|02|ge"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1000999; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .gf"; content:"|01|*"; distance: 2; within: 255; content: "|02|gf"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001000; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .gg"; content:"|01|*"; distance: 2; within: 255; content: "|02|gg"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001001; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .gh"; content:"|01|*"; distance: 2; within: 255; content: "|02|gh"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001002; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .gi"; content:"|01|*"; distance: 2; within: 255; content: "|02|gi"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001003; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .gl"; content:"|01|*"; distance: 2; within: 255; content: "|02|gl"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001004; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .gm"; content:"|01|*"; distance: 2; within: 255; content: "|02|gm"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001005; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .gn"; content:"|01|*"; distance: 2; within: 255; content: "|02|gn"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001006; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .gp"; content:"|01|*"; distance: 2; within: 255; content: "|02|gp"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001007; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .gq"; content:"|01|*"; distance: 2; within: 255; content: "|02|gq"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001008; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .gr"; content:"|01|*"; distance: 2; within: 255; content: "|02|gr"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001009; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .gs"; content:"|01|*"; distance: 2; within: 255; content: "|02|gs"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001010; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .gt"; content:"|01|*"; distance: 2; within: 255; content: "|02|gt"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001011; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .gu"; content:"|01|*"; distance: 2; within: 255; content: "|02|gu"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001012; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .gw"; content:"|01|*"; distance: 2; within: 255; content: "|02|gw"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001013; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .gy"; content:"|01|*"; distance: 2; within: 255; content: "|02|gy"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001014; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .hk"; content:"|01|*"; distance: 2; within: 255; content: "|02|hk"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001015; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .hm"; content:"|01|*"; distance: 2; within: 255; content: "|02|hm"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001016; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .hn"; content:"|01|*"; distance: 2; within: 255; content: "|02|hn"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001017; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .hr"; content:"|01|*"; distance: 2; within: 255; content: "|02|hr"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001018; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .ht"; content:"|01|*"; distance: 2; within: 255; content: "|02|ht"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001019; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .hu"; content:"|01|*"; distance: 2; within: 255; content: "|02|hu"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001020; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .id"; content:"|01|*"; distance: 2; within: 255; content: "|02|id"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001021; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .ie"; content:"|01|*"; distance: 2; within: 255; content: "|02|ie"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001022; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .il"; content:"|01|*"; distance: 2; within: 255; content: "|02|il"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001023; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .im"; content:"|01|*"; distance: 2; within: 255; content: "|02|im"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001024; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .in"; content:"|01|*"; distance: 2; within: 255; content: "|02|in"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001025; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .io"; content:"|01|*"; distance: 2; within: 255; content: "|02|io"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001026; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .iq"; content:"|01|*"; distance: 2; within: 255; content: "|02|iq"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001027; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .ir"; content:"|01|*"; distance: 2; within: 255; content: "|02|ir"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001028; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .is"; content:"|01|*"; distance: 2; within: 255; content: "|02|is"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001029; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .it"; content:"|01|*"; distance: 2; within: 255; content: "|02|it"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001030; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .je"; content:"|01|*"; distance: 2; within: 255; content: "|02|je"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001031; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .jm"; content:"|01|*"; distance: 2; within: 255; content: "|02|jm"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001032; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .jo"; content:"|01|*"; distance: 2; within: 255; content: "|02|jo"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001033; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .jp"; content:"|01|*"; distance: 2; within: 255; content: "|02|jp"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001034; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .ke"; content:"|01|*"; distance: 2; within: 255; content: "|02|ke"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001035; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .kg"; content:"|01|*"; distance: 2; within: 255; content: "|02|kg"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001036; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .kh"; content:"|01|*"; distance: 2; within: 255; content: "|02|kh"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001037; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .ki"; content:"|01|*"; distance: 2; within: 255; content: "|02|ki"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001038; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .km"; content:"|01|*"; distance: 2; within: 255; content: "|02|km"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001039; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .kn"; content:"|01|*"; distance: 2; within: 255; content: "|02|kn"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001040; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .kp"; content:"|01|*"; distance: 2; within: 255; content: "|02|kp"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001041; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .kr"; content:"|01|*"; distance: 2; within: 255; content: "|02|kr"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001042; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .kw"; content:"|01|*"; distance: 2; within: 255; content: "|02|kw"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001043; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .ky"; content:"|01|*"; distance: 2; within: 255; content: "|02|ky"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001044; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .kz"; content:"|01|*"; distance: 2; within: 255; content: "|02|kz"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001045; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .la"; content:"|01|*"; distance: 2; within: 255; content: "|02|la"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001046; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .lb"; content:"|01|*"; distance: 2; within: 255; content: "|02|lb"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001047; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .lc"; content:"|01|*"; distance: 2; within: 255; content: "|02|lc"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001048; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .li"; content:"|01|*"; distance: 2; within: 255; content: "|02|li"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001049; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .lk"; content:"|01|*"; distance: 2; within: 255; content: "|02|lk"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001050; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .lr"; content:"|01|*"; distance: 2; within: 255; content: "|02|lr"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001051; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .ls"; content:"|01|*"; distance: 2; within: 255; content: "|02|ls"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001052; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .lt"; content:"|01|*"; distance: 2; within: 255; content: "|02|lt"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001053; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .lu"; content:"|01|*"; distance: 2; within: 255; content: "|02|lu"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001054; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .lv"; content:"|01|*"; distance: 2; within: 255; content: "|02|lv"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001055; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .ly"; content:"|01|*"; distance: 2; within: 255; content: "|02|ly"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001056; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .ma"; content:"|01|*"; distance: 2; within: 255; content: "|02|ma"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001057; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .mc"; content:"|01|*"; distance: 2; within: 255; content: "|02|mc"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001058; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .md"; content:"|01|*"; distance: 2; within: 255; content: "|02|md"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001059; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .me"; content:"|01|*"; distance: 2; within: 255; content: "|02|me"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001060; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .mf"; content:"|01|*"; distance: 2; within: 255; content: "|02|mf"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001061; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .mg"; content:"|01|*"; distance: 2; within: 255; content: "|02|mg"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001062; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .mh"; content:"|01|*"; distance: 2; within: 255; content: "|02|mh"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001063; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .mk"; content:"|01|*"; distance: 2; within: 255; content: "|02|mk"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001064; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .ml"; content:"|01|*"; distance: 2; within: 255; content: "|02|ml"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001065; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .mm"; content:"|01|*"; distance: 2; within: 255; content: "|02|mm"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001066; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .mn"; content:"|01|*"; distance: 2; within: 255; content: "|02|mn"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001067; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .mo"; content:"|01|*"; distance: 2; within: 255; content: "|02|mo"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001068; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .mp"; content:"|01|*"; distance: 2; within: 255; content: "|02|mp"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001069; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .mq"; content:"|01|*"; distance: 2; within: 255; content: "|02|mq"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001070; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .mr"; content:"|01|*"; distance: 2; within: 255; content: "|02|mr"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001071; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .ms"; content:"|01|*"; distance: 2; within: 255; content: "|02|ms"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001072; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .mt"; content:"|01|*"; distance: 2; within: 255; content: "|02|mt"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001073; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .mu"; content:"|01|*"; distance: 2; within: 255; content: "|02|mu"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001074; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .mv"; content:"|01|*"; distance: 2; within: 255; content: "|02|mv"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001075; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .mw"; content:"|01|*"; distance: 2; within: 255; content: "|02|mw"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001076; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .mx"; content:"|01|*"; distance: 2; within: 255; content: "|02|mx"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001077; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .my"; content:"|01|*"; distance: 2; within: 255; content: "|02|my"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001078; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .mz"; content:"|01|*"; distance: 2; within: 255; content: "|02|mz"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001079; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .na"; content:"|01|*"; distance: 2; within: 255; content: "|02|na"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001080; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .nc"; content:"|01|*"; distance: 2; within: 255; content: "|02|nc"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001081; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .ne"; content:"|01|*"; distance: 2; within: 255; content: "|02|ne"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001082; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .nf"; content:"|01|*"; distance: 2; within: 255; content: "|02|nf"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001083; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .ng"; content:"|01|*"; distance: 2; within: 255; content: "|02|ng"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001084; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .ni"; content:"|01|*"; distance: 2; within: 255; content: "|02|ni"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001085; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .nl"; content:"|01|*"; distance: 2; within: 255; content: "|02|nl"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001086; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .no"; content:"|01|*"; distance: 2; within: 255; content: "|02|no"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001087; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .np"; content:"|01|*"; distance: 2; within: 255; content: "|02|np"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001088; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .nr"; content:"|01|*"; distance: 2; within: 255; content: "|02|nr"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001089; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .nu"; content:"|01|*"; distance: 2; within: 255; content: "|02|nu"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001090; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .nz"; content:"|01|*"; distance: 2; within: 255; content: "|02|nz"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001091; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .om"; content:"|01|*"; distance: 2; within: 255; content: "|02|om"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001092; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .pa"; content:"|01|*"; distance: 2; within: 255; content: "|02|pa"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001093; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .pe"; content:"|01|*"; distance: 2; within: 255; content: "|02|pe"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001094; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .pf"; content:"|01|*"; distance: 2; within: 255; content: "|02|pf"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001095; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .pg"; content:"|01|*"; distance: 2; within: 255; content: "|02|pg"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001096; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .ph"; content:"|01|*"; distance: 2; within: 255; content: "|02|ph"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001097; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .pk"; content:"|01|*"; distance: 2; within: 255; content: "|02|pk"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001098; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .pl"; content:"|01|*"; distance: 2; within: 255; content: "|02|pl"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001099; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .pm"; content:"|01|*"; distance: 2; within: 255; content: "|02|pm"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001100; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .pn"; content:"|01|*"; distance: 2; within: 255; content: "|02|pn"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001101; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .pr"; content:"|01|*"; distance: 2; within: 255; content: "|02|pr"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001102; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .ps"; content:"|01|*"; distance: 2; within: 255; content: "|02|ps"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001103; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .pt"; content:"|01|*"; distance: 2; within: 255; content: "|02|pt"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001104; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .pw"; content:"|01|*"; distance: 2; within: 255; content: "|02|pw"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001105; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .py"; content:"|01|*"; distance: 2; within: 255; content: "|02|py"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001106; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .qa"; content:"|01|*"; distance: 2; within: 255; content: "|02|qa"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001107; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .re"; content:"|01|*"; distance: 2; within: 255; content: "|02|re"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001108; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .ro"; content:"|01|*"; distance: 2; within: 255; content: "|02|ro"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001109; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .rs"; content:"|01|*"; distance: 2; within: 255; content: "|02|rs"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001110; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .ru"; content:"|01|*"; distance: 2; within: 255; content: "|02|ru"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001111; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .rw"; content:"|01|*"; distance: 2; within: 255; content: "|02|rw"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001112; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .sa"; content:"|01|*"; distance: 2; within: 255; content: "|02|sa"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001113; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .sb"; content:"|01|*"; distance: 2; within: 255; content: "|02|sb"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001114; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .sc"; content:"|01|*"; distance: 2; within: 255; content: "|02|sc"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001115; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .sd"; content:"|01|*"; distance: 2; within: 255; content: "|02|sd"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001116; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .se"; content:"|01|*"; distance: 2; within: 255; content: "|02|se"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001117; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .sg"; content:"|01|*"; distance: 2; within: 255; content: "|02|sg"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001118; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .sh"; content:"|01|*"; distance: 2; within: 255; content: "|02|sh"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001119; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .si"; content:"|01|*"; distance: 2; within: 255; content: "|02|si"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001120; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .sj"; content:"|01|*"; distance: 2; within: 255; content: "|02|sj"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001121; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .sk"; content:"|01|*"; distance: 2; within: 255; content: "|02|sk"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001122; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .sl"; content:"|01|*"; distance: 2; within: 255; content: "|02|sl"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001123; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .sm"; content:"|01|*"; distance: 2; within: 255; content: "|02|sm"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001124; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .sn"; content:"|01|*"; distance: 2; within: 255; content: "|02|sn"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001125; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .so"; content:"|01|*"; distance: 2; within: 255; content: "|02|so"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001126; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .sr"; content:"|01|*"; distance: 2; within: 255; content: "|02|sr"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001127; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .st"; content:"|01|*"; distance: 2; within: 255; content: "|02|st"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001128; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .su"; content:"|01|*"; distance: 2; within: 255; content: "|02|su"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001129; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .sv"; content:"|01|*"; distance: 2; within: 255; content: "|02|sv"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001130; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .sy"; content:"|01|*"; distance: 2; within: 255; content: "|02|sy"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001131; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .sz"; content:"|01|*"; distance: 2; within: 255; content: "|02|sz"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001132; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .tc"; content:"|01|*"; distance: 2; within: 255; content: "|02|tc"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001133; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .td"; content:"|01|*"; distance: 2; within: 255; content: "|02|td"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001134; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .tf"; content:"|01|*"; distance: 2; within: 255; content: "|02|tf"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001135; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .tg"; content:"|01|*"; distance: 2; within: 255; content: "|02|tg"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001136; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .th"; content:"|01|*"; distance: 2; within: 255; content: "|02|th"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001137; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .tj"; content:"|01|*"; distance: 2; within: 255; content: "|02|tj"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001138; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .tk"; content:"|01|*"; distance: 2; within: 255; content: "|02|tk"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001139; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .tl"; content:"|01|*"; distance: 2; within: 255; content: "|02|tl"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001140; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .tm"; content:"|01|*"; distance: 2; within: 255; content: "|02|tm"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001141; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .tn"; content:"|01|*"; distance: 2; within: 255; content: "|02|tn"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001142; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .to"; content:"|01|*"; distance: 2; within: 255; content: "|02|to"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001143; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .tp"; content:"|01|*"; distance: 2; within: 255; content: "|02|tp"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001144; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .tr"; content:"|01|*"; distance: 2; within: 255; content: "|02|tr"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001145; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .tt"; content:"|01|*"; distance: 2; within: 255; content: "|02|tt"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001146; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .tv"; content:"|01|*"; distance: 2; within: 255; content: "|02|tv"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001147; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .tw"; content:"|01|*"; distance: 2; within: 255; content: "|02|tw"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001148; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .tz"; content:"|01|*"; distance: 2; within: 255; content: "|02|tz"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001149; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .ua"; content:"|01|*"; distance: 2; within: 255; content: "|02|ua"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001150; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .ug"; content:"|01|*"; distance: 2; within: 255; content: "|02|ug"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001151; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .uk"; content:"|01|*"; distance: 2; within: 255; content: "|02|uk"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001152; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .um"; content:"|01|*"; distance: 2; within: 255; content: "|02|um"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001153; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .us"; content:"|01|*"; distance: 2; within: 255; content: "|02|us"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001154; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .uy"; content:"|01|*"; distance: 2; within: 255; content: "|02|uy"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001155; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .uz"; content:"|01|*"; distance: 2; within: 255; content: "|02|uz"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001156; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .va"; content:"|01|*"; distance: 2; within: 255; content: "|02|va"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001157; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .vc"; content:"|01|*"; distance: 2; within: 255; content: "|02|vc"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001158; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .ve"; content:"|01|*"; distance: 2; within: 255; content: "|02|ve"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001159; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .vg"; content:"|01|*"; distance: 2; within: 255; content: "|02|vg"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001160; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .vi"; content:"|01|*"; distance: 2; within: 255; content: "|02|vi"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001161; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .vn"; content:"|01|*"; distance: 2; within: 255; content: "|02|vn"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001162; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .vu"; content:"|01|*"; distance: 2; within: 255; content: "|02|vu"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001163; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .wf"; content:"|01|*"; distance: 2; within: 255; content: "|02|wf"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001164; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .ws"; content:"|01|*"; distance: 2; within: 255; content: "|02|ws"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001165; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .ye"; content:"|01|*"; distance: 2; within: 255; content: "|02|ye"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001166; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .yt"; content:"|01|*"; distance: 2; within: 255; content: "|02|yt"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001167; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .yu"; content:"|01|*"; distance: 2; within: 255; content: "|02|yu"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001168; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .za"; content:"|01|*"; distance: 2; within: 255; content: "|02|za"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001169; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .zm"; content:"|01|*"; distance: 2; within: 255; content: "|02|zm"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001170; rev:1;)
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"Wildcard DNS lookup .zw"; content:"|01|*"; distance: 2; within: 255; content: "|02|zw"; nocase; classtype:trojan-activity; reference:url,ref.ref.com; sid: 1001171; rev:1;)
More information about the Emerging-sigs
mailing list