[Snort-sigs] lots of alerts on so rule "possible DGA detected"

Alex McDonnell amcdonnell at ...435...
Tue Nov 25 06:49:28 EST 2014


Ronny, you can influence this rule, by sending us, the VRT (TALOS) team,
examples of domains that trigger this rule improperly. Pcaps are even
better.

Kestutis, I would ask the same, please send us examples or open a support
ticket, if we don't know that it's causing FPs, then we can't fix it!

thanks
Alex McDonnell
VRT/TALOS Detection Response Team Lead


On Tue, Nov 25, 2014 at 4:52 AM, <kestutis.malakauskas at ...3980...> wrote:

> Hello,
>
>
>
> The same here we do see lots of (FP) hits. Doesn’t seem this SIG to be
> very useful at this point.
>
>
>
> Kestutis
>
>
>
> Kestutis Malakauskas |  Lead Attack Monitoring Analyst  | Global
> Information Security | Security Operations
>
> Tel +370 5 251 1847 | Mobile +370 652 89466 | Email
> kestutis.malakauskas at ...3980...
>
> Barclays , 8th Floor | Balčikonio str. 7 | Vilnius | Lithuania *GMT+2*
>
> Barclays.com
>
>
>
> *Hotline: +370 520 62424*
>
> P Please consider the environment before printing this email
>
>
>
> *From:* Ronny Vaningh [mailto:ronny at ...3979...]
> *Sent:* 25 November 2014 09:56
> *To:* snort-sigs at lists.sourceforge.net
> *Subject:* [Snort-sigs] lots of alerts on so rule "possible DGA detected"
>
>
>
> Hi
>
>
>
> I'm seeing a lot of alerts on an SO rule that looks for DGA's.
>
>
>
> alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS domain not
> found containing random-looking hostname - possible DGA detected";
> sid:31738; gid:3; rev:1; classtype:trojan-activity; metadata: engine
> shared, soid 3|31738, service dns;)
>
>
>
>
>
> It seems to trigger on dns requests that are appending search domains like
>
>
>
> First the host does a request for myserverhostname001.subdomain.domain.com
>
> After receiving a NXDOMAIN it appends a search domain suffix and generates
> a request like
>
>
>
> myserverhostname543.subdomain.domain.com.searchdomain.com
>
>
>
>
>
>
>
> Does anyone knows what this SO rule is actually looking for and is there
> any way I can influence this, since it looks pretty useful so I want to
> avoid disabling it.
>
>
>
>
>
> Regards
>
>
>
>
>
> Ronny
>
>
>
> This e-mail and any attachments are confidential and intended solely for
> the addressee and may also be privileged or exempt from disclosure under
> applicable law. If you are not the addressee, or have received this e-mail
> in error, please notify the sender immediately, delete it from your system
> and do not copy, disclose or otherwise act upon any part of this e-mail or
> its attachments.
>
> Internet communications are not guaranteed to be secure or virus-free. The
> Barclays Group does not accept responsibility for any loss arising from
> unauthorised access to, or interference with, any Internet communications
> by any third party, or from the transmission of any viruses. Replies to
> this e-mail may be monitored by the Barclays Group for operational or
> business reasons.
>
> Any opinion or other information in this e-mail or its attachments that
> does not relate to the business of the Barclays Group is personal to the
> sender and is not given or endorsed by the Barclays Group.
>
> Barclays Bank PLC. Registered in England and Wales (registered no.
> 1026167). Registered Office: 1 Churchill Place, London, E14 5HP, United
> Kingdom. Barclays Bank PLC is authorised by the Prudential Regulation
> Authority and regulated by the Financial Conduct Authority and the
> Prudential Regulation Authority (Financial Services Register No. 122702).
>
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
>
> http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20141125/f30f66d5/attachment.html>


More information about the Snort-sigs mailing list