lots of alerts on so rule "possible DGA detected"

[Ronny Vaningh <ronny () guard-it be>]

Hi

I'm seeing a lot of alerts on an SO rule that looks for DGA's.

alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS domain not
found containing random-looking hostname - possible DGA detected";
sid:31738; gid:3; rev:1; classtype:trojan-activity; metadata: engine
shared, soid 3|31738, service dns;)


It seems to trigger on dns requests that are appending search domains like

First the host does a request for myserverhostname001.subdomain.domain.com
After receiving a NXDOMAIN it appends a search domain suffix and generates
a request like

myserverhostname543.subdomain.domain.com.searchdomain.com



Does anyone knows what this SO rule is actually looking for and is there
any way I can influence this, since it looks pretty useful so I want to
avoid disabling it.


Regards


Ronny

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!