Skip to content

Potential DGA(Domain Generation Algorithm) detected via Repetitive Failures - Rule Uses Wrong Column #14547

Description

@migrande

Describe the bug
I want to re-open the issue described at #11663. I came across the same issue and can confirm that the original reporter was accurate. This rule should be written to use the DstIpAddr as the pivot, not the SrcIpAddr. As the NXDOMAIN responses are "responses" logs, they all come from the DNS servers. In this case, the IPs of interest are the destination IPs, which are the IPs that originally sent in the request.

To Reproduce
n/a

Expected behavior
see above

Screenshots
see above

Metadata

Metadata

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions