Snort mailing list archives
Re: lots of alerts on so rule "possible DGA detected"
From: "C. L. Martinez" <carlopmart () gmail com>
Date: Tue, 25 Nov 2014 14:51:04 +0000
On Tue, Nov 25, 2014 at 2:35 PM, Patrick Mullen <pmullen () sourcefire com> wrote:
Ronny and Kestutis, Thanks for your query. Rule 3:31738, "possible DGA detected" performs a statistical analysis on failed DNS lookups in an attempt to find potential malware Domain Generation Algorithms (DGAs). It is disabled by default because there are many domains out there that do not follow natural (and semi-natural) language patterns, even when the Alexa Top 1M sites is used for your dictionary. If you are willing to tolerate false positives and take fairly quick glances through the alerts, you can identify hosts that are clearly falling victim to malware that utilizes a Domain Generation Algorithm and is searching for its Command and Control server. Being a "hunter" rule, FPs need to be tolerated as the detection casts a wide net in an effort to give the analyst as much information as possible. That said, the rule is under constant review and a few improvements have been identified and will be rolled out in future versions. We actively use this rule to find current, active malware that uses new (and old) DGAs. Thanks, ~Patrick
Thanks a lot for you explanation Patrick. ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- lots of alerts on so rule "possible DGA detected" Ronny Vaningh (Nov 25)
- Re: lots of alerts on so rule "possible DGA detected" kestutis.malakauskas (Nov 25)
- Re: lots of alerts on so rule "possible DGA detected" Alex McDonnell (Nov 25)
- Re: lots of alerts on so rule "possible DGA detected" Patrick Mullen (Nov 25)
- Re: lots of alerts on so rule "possible DGA detected" C. L. Martinez (Nov 25)
- Re: lots of alerts on so rule "possible DGA detected" waldo kitty (Nov 25)
- Re: lots of alerts on so rule "possible DGA detected" kestutis.malakauskas (Nov 25)