""ET TROJAN BernhardPOS Possible Data Exfiltration via DNS Lookup (29a.de)""
SID: 2021416
Revision: 2
Class Type: trojan-activity
Metadata: created_at 2015_07_15, updated_at 2019_08_28
Reference:
Protocol: udp
Source Network: $HOME_NET
Source Port: any
Destination Network: any
Destination Port: 53
Flow:
Contents:
-
Value: "|01|" Depth: 1 Offset: 2
-
Value: "|00 01 00 00 00 00 00|"
-
Value: "|03|29a|02|de|00|"
Within: 7
PCRE: "/^.(?=[a-z0-9+/]?[A-Z])(?=[A-Z0-9+/]?[a-z])(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\x0329a\x02de\x00/R"
Special Options:
- nocase