Snort Rule: Wannacry Killswitch Domain DNS Lookup

A quick Snort rule I knocked together to use as an IOC of wannacry ransomware. Its really simple and looks for DNS requests to the killswitch domain, by this point, we know the host is infected and trying to check if the kill switch is in place.

alert udp any any -> any 53 ( msg:"WannaCry Killswitch Domain Lookup";  pcre:"/"; priority:1; sid:999999999; rev:1; )

Thanks to Benkow Wokned (@benkow_) for providing me a pcap sample to allow me to make the rule