[Snort-sigs] lots of alerts on so rule "possible DGA detected"
C. L. Martinez
carlopmart at ...2420...
Tue Nov 25 09:51:04 EST 2014
On Tue, Nov 25, 2014 at 2:35 PM, Patrick Mullen <pmullen at ...435...> wrote:
> Ronny and Kestutis,
> Thanks for your query. Rule 3:31738, "possible DGA detected" performs a
> statistical analysis on failed DNS lookups in an attempt to find potential
> malware Domain Generation Algorithms (DGAs). It is disabled by default
> because there are many domains out there that do not follow natural (and
> semi-natural) language patterns, even when the Alexa Top 1M sites is used
> for your dictionary. If you are willing to tolerate false positives and
> take fairly quick glances through the alerts, you can identify hosts that
> are clearly falling victim to malware that utilizes a Domain Generation
> Algorithm and is searching for its Command and Control server. Being a
> "hunter" rule, FPs need to be tolerated as the detection casts a wide net in
> an effort to give the analyst as much information as possible.
> That said, the rule is under constant review and a few improvements have
> been identified and will be rolled out in future versions. We actively use
> this rule to find current, active malware that uses new (and old) DGAs.
Thanks a lot for you explanation Patrick.
More information about the Snort-sigs