Tue Nov 26, 2019 11:54 pm
It's a wrong approach. The right approach is to sanitize the systems infected with the malware. Are you sure the malware only uses http to connect? It may be https, it may be something else...
So I'd define a layer7 rule
/ip firewall layer7-protocol
add name=gamarue regexp="\\x02[rR][uU]...\?.\?\$"
and add an action=add-src-to-address-list address-list=gamarue-hosts layer7-protocol=gamarue dst-port=53 to both chain=input and chain=forward of /ip firewall filter, once with protocol=tcp and once with protocol=udp (so four rules in total). And then you may block all traffic based on src-address-list=gamarue-hosts, but much more important is to identify the infected clients (reading the contents of the address-list as it gradually builds up) and talk to them.
Just bear in mind that you may have some false positives depending on who your clients are.