alert udp $HOME_NET any -> any 53 ( msg:" DROP INDICATOR-COMPROMISE DNS request for known malware sinkhole domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com - WannaCry"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|29|iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea|03|com|00|",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips alert,policy max-detect-ips alert,policy security-ips alert; service:dns; reference:url,www.virustotal.com/en/domain/iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/information/; classtype:trojan-activity; sid:44035; rev:5; )