[Emerging-Sigs] Rule 2016016

Lay, James james.lay at wincofoods.com
Thu Dec 20 04:54:04 HAST 2012


Rule:
alert udp any any -> $HOME_NET 53 (msg:"ET CURRENT_EVENTS DNS
Amplification Attack Inbound"; content:"|01 00 00 01 00 00 00 00 00
01|"; depth:10; offset:2; pcre:"/^[^\x00]+?\x00/R"; content:"|00 ff 00
01 00 00 29 10|"; within:8; fast_pattern; threshold: type limit, track
by_src, seconds 60, count 1; classtype:bad-unknown; sid:2016016; rev:4;)

Hex:
2A 39 01 00 00 01 00 00 00 00 00 01 03 69 73 63
03 6F 72 67 00 00 FF 00 01 00 00 29 10 00 00 00
80 00 00 00

Text dump:
*9...........isc
.org.......)....
....

So far this is a pretty chatty rule.  FYI :D

James


More information about the Emerging-sigs mailing list