""ET TROJAN Likely Linux/Xorddos.F DDoS Attack Participation (ns3.hostasa.org)""

SID: 2021329

Revision: 2

Class Type: trojan-activity

Metadata: created_at 2015_06_24, updated_at 2019_08_28

Reference:

• md5

• 3c49b5160b981f06bd5242662f8d0a54

Protocol: udp

Source Network: $HOME_NET

Source Port: any

Destination Network: any

Destination Port: 53

Flow:

Contents:

• Value: "|01|" Depth: 1 Offset: 2

• Value: "|00 01 00 00 00 00 00|"

• Value: "|03|ns3|07|hostasa|03|org"

Within: 7

PCRE:

Special Options:

• fast_pattern

• nocase

source