[Snort-sigs] lots of alerts on so rule "possible DGA detected"

Patrick Mullen pmullen at ...435...
Tue Nov 25 09:35:28 EST 2014


Ronny and Kestutis,

Thanks for your query.  Rule 3:31738, "possible DGA detected" performs a
statistical analysis on failed DNS lookups in an attempt to find potential
malware Domain Generation Algorithms (DGAs).  It is disabled by default
because there are many domains out there that do not follow natural (and
semi-natural) language patterns, even when the Alexa Top 1M sites is used
for your dictionary.  If you are willing to tolerate false positives and
take fairly quick glances through the alerts, you can identify hosts that
are clearly falling victim to malware that utilizes a Domain Generation
Algorithm and is searching for its Command and Control server.  Being a
"hunter" rule, FPs need to be tolerated as the detection casts a wide net
in an effort to give the analyst as much information as possible.

That said, the rule is under constant review and a few improvements have
been identified and will be rolled out in future versions.  We actively use
this rule to find current, active malware that uses new (and old) DGAs.


Thanks,

~Patrick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20141125/df88d9fa/attachment.html>


More information about the Snort-sigs mailing list