1:41083 BLACKLIST suspicious .bit dns query

I previously wrote about documentation-less snort rules. Below is my attempt to fill in some of those gaps.

Whomever created this dns query blacklist alert didn't include documentation.

(1:41083) BLACKLIST suspicious .bit dns query

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST suspicious .bit dns query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|bit|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; classtype:trojan-activity; sid:41083; rev:1; )

If I had to guess I think it's related to the .bit tld or something similar which stated.

Per the reddit The advantage to owning a .bit domain is that no government or third-party can have your DNS interrupted, it is truly a P2P DNS system with no possibility of censorship.

More about neonprimetime

• neonprimetime pastebin
• neonprimetime virustotal
• @neonprimetime twitter
• neonprimetime reddit

Top Blogs of all-time

1. pagerank botnet sql injection walk-thru
2. DOM XSS 101 Walk-Through
3. An Invoice email and a Hot mess of Java

Top Github Contributions

1. Qualys Scantronitor 2.0

Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.