[Snort-sigs] lots of alerts on so rule "possible DGA detected"
ronny at ...3979...
Tue Nov 25 02:55:49 EST 2014
I'm seeing a lot of alerts on an SO rule that looks for DGA's.
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS domain not
found containing random-looking hostname - possible DGA detected";
sid:31738; gid:3; rev:1; classtype:trojan-activity; metadata: engine
shared, soid 3|31738, service dns;)
It seems to trigger on dns requests that are appending search domains like
First the host does a request for myserverhostname001.subdomain.domain.com
After receiving a NXDOMAIN it appends a search domain suffix and generates
a request like
Does anyone knows what this SO rule is actually looking for and is there
any way I can influence this, since it looks pretty useful so I want to
avoid disabling it.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs