Re: lots of alerts on so rule "possible DGA detected"

["C. L. Martinez" <carlopmart () gmail com>]

On Tue, Nov 25, 2014 at 2:35 PM, Patrick Mullen <pmullen () sourcefire com> wrote:
> Ronny and Kestutis,
>
> Thanks for your query.  Rule 3:31738, "possible DGA detected" performs a
> statistical analysis on failed DNS lookups in an attempt to find potential
> malware Domain Generation Algorithms (DGAs).  It is disabled by default
> because there are many domains out there that do not follow natural (and
> semi-natural) language patterns, even when the Alexa Top 1M sites is used
> for your dictionary.  If you are willing to tolerate false positives and
> take fairly quick glances through the alerts, you can identify hosts that
> are clearly falling victim to malware that utilizes a Domain Generation
> Algorithm and is searching for its Command and Control server.  Being a
> "hunter" rule, FPs need to be tolerated as the detection casts a wide net in
> an effort to give the analyst as much information as possible.
>
> That said, the rule is under constant review and a few improvements have
> been identified and will be rolled out in future versions.  We actively use
> this rule to find current, active malware that uses new (and old) DGAs.
>
>
> Thanks,
>
> ~Patrick

Thanks a lot for you explanation Patrick.

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!