[Snort-sigs] lots of alerts on so rule "possible DGA detected"

kestutis.malakauskas at ...3980... kestutis.malakauskas at ...3980...
Tue Nov 25 04:52:39 EST 2014


The same here we do see lots of (FP) hits. Doesn’t seem this SIG to be very useful at this point.


Kestutis Malakauskas |  Lead Attack Monitoring Analyst  | Global Information Security | Security Operations
Tel +370 5 251 1847 | Mobile +370 652 89466 | Email kestutis.malakauskas at ...3980...<mailto:kestutis.malakauskas at ...3980...>
Barclays , 8th Floor | Balčikonio str. 7 | Vilnius | Lithuania GMT+2

Hotline: +370 520 62424
P Please consider the environment before printing this email

From: Ronny Vaningh [mailto:ronny at ...3979...]
Sent: 25 November 2014 09:56
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] lots of alerts on so rule "possible DGA detected"


I'm seeing a lot of alerts on an SO rule that looks for DGA's.

alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS domain not found containing random-looking hostname - possible DGA detected"; sid:31738; gid:3; rev:1; classtype:trojan-activity; metadata: engine shared, soid 3|31738, service dns;)

It seems to trigger on dns requests that are appending search domains like

First the host does a request for myserverhostname001.subdomain.domain.com<http://myserverhostname001.subdomain.domain.com>
After receiving a NXDOMAIN it appends a search domain suffix and generates a request like


Does anyone knows what this SO rule is actually looking for and is there any way I can influence this, since it looks pretty useful so I want to avoid disabling it.



This e-mail and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the addressee, or have received this e-mail in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this e-mail or its attachments.

Internet communications are not guaranteed to be secure or virus-free. The Barclays Group does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third party, or from the transmission of any viruses. Replies to this e-mail may be monitored by the Barclays Group for operational or business reasons.

Any opinion or other information in this e-mail or its attachments that does not relate to the business of the Barclays Group is personal to the sender and is not given or endorsed by the Barclays Group.

Barclays Bank PLC. Registered in England and Wales (registered no. 1026167). Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom. 

Barclays Bank PLC is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority (Financial Services Register No. 122702).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20141125/c5b13c2f/attachment.html>

More information about the Snort-sigs mailing list