[Snort-sigs] lots of alerts on so rule "possible DGA detected"

Ronny Vaningh ronny at ...3979...
Tue Nov 25 02:55:49 EST 2014


Hi

I'm seeing a lot of alerts on an SO rule that looks for DGA's.

alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS domain not
found containing random-looking hostname - possible DGA detected";
sid:31738; gid:3; rev:1; classtype:trojan-activity; metadata: engine
shared, soid 3|31738, service dns;)


It seems to trigger on dns requests that are appending search domains like

First the host does a request for myserverhostname001.subdomain.domain.com
After receiving a NXDOMAIN it appends a search domain suffix and generates
a request like

myserverhostname543.subdomain.domain.com.searchdomain.com



Does anyone knows what this SO rule is actually looking for and is there
any way I can influence this, since it looks pretty useful so I want to
avoid disabling it.


Regards


Ronny
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20141125/42de22c3/attachment.html>


More information about the Snort-sigs mailing list