""ET TROJAN Linux/Onimiki DNS trojan activity long format (Inbound)""

SID: 2018276

Revision: 6

Class Type: trojan-activity

Metadata: created_at 2014_03_14, updated_at 2014_03_18

Reference:

• Link

Protocol: udp

Source Network: $EXTERNAL_NET

Source Port: any

Destination Network: $HOME_NET

Destination Port: 53

Flow:

Contents:

• Value: "|00 01 00 00 00 00 00 00 38|" Depth: 9 Offset: 4

Within:

PCRE: "/^[a-z0-9]{23}[a-f0-9]{33}.[a-z0-9-]+.[a-z0-9-]+\x00\x00\x01\x00\x01/Rsi"

Special Options:

source