En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post

Additional information on GuardDuty DNS Findings

0

I am receiving DNS related GuardDuty findings for "querying algorithmically generated domains" that we suspect are not algorithmically generated.

An example URL is from the following Facebook page: https://www.facebook.com/SOMD-167556163301693/

The URL in question is http://stuckonmsdawn.com/

So my questions:

  1. Why is GuardDuty flagging this as algorithmically generated?
  2. Is there a way of checking with AWS whether they think a domain is algorithmically generated (or as part of a "Command & Control server" also) before actually making the DNS query itself?

Thanks

Sujets
Sécurité, identité et conformité
Balises
Amazon GuardDuty
Langue
English
MaxEB
demandé il y a 2 ans988 vues
1 réponse
1

There are 2 types of DGA related GuardDuty findings i.e. DGADomainRequest.B and DGADomainRequest.C!DNS.

For this finding EC2/DGADomainRequest.B: it is based on analysis of domain names using advanced heuristics and may identify new DGA domains that are not present in threat intelligence feeds. If you believe the domain has been incorrectly identified, please raise a technical support ticket with AWS support.

For this finding DGADomainRequest.C!DNS: it is based on known DGA domains from GuardDuty's threat intelligence feeds.

Please refer to this link for additional details of the DGA related findings.

profile pictureAWS
Kuok Chiang
répondu il y a 2 ans
  • AWS-User-2792197
    il y a 2 ans

    Finding a lot of this lately, does not seem very intelligent. Lots of false positives.

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions

Contenus pertinents