Snort mailing list archives

Re: lots of alerts on so rule "possible DGA detected"

From: waldo kitty <wkitty42 () windstream net>
Date: Tue, 25 Nov 2014 13:12:49 -0500

On 11/25/2014 2:55 AM, Ronny Vaningh wrote:

First the host does a request for myserverhostname001.subdomain.domain.com
<http://myserverhostname001.subdomain.domain.com>
After receiving a NXDOMAIN it appends a search domain suffix and generates a
request like

myserverhostname543.subdomain.domain.com.searchdomain.com


what software is this, please? so we know to list it as banned and keep it far 
away from our networks ;)


-- 
  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

lots of alerts on so rule "possible DGA detected" Ronny Vaningh (Nov 25)
- Re: lots of alerts on so rule "possible DGA detected" kestutis.malakauskas (Nov 25)
  - Re: lots of alerts on so rule "possible DGA detected" Alex McDonnell (Nov 25)
- Re: lots of alerts on so rule "possible DGA detected" Patrick Mullen (Nov 25)
  - Re: lots of alerts on so rule "possible DGA detected" C. L. Martinez (Nov 25)
- Re: lots of alerts on so rule "possible DGA detected" waldo kitty (Nov 25)