Re: lots of alerts on so rule "possible DGA detected"

[Patrick Mullen <pmullen () sourcefire com>]

Ronny and Kestutis,

Thanks for your query.  Rule 3:31738, "possible DGA detected" performs a
statistical analysis on failed DNS lookups in an attempt to find potential
malware Domain Generation Algorithms (DGAs).  It is disabled by default
because there are many domains out there that do not follow natural (and
semi-natural) language patterns, even when the Alexa Top 1M sites is used
for your dictionary.  If you are willing to tolerate false positives and
take fairly quick glances through the alerts, you can identify hosts that
are clearly falling victim to malware that utilizes a Domain Generation
Algorithm and is searching for its Command and Control server.  Being a
"hunter" rule, FPs need to be tolerated as the detection casts a wide net
in an effort to give the analyst as much information as possible.

That said, the rule is under constant review and a few improvements have
been identified and will be rolled out in future versions.  We actively use
this rule to find current, active malware that uses new (and old) DGAs.


Thanks,

~Patrick

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!