I have been doing quite a bit of research in the DNS department and wanted to share some fun simple stuff. I created a rule called "DNS Large Number of Authority Records w/o Answer" that looks like this "risk.suspicious = 'dns large number of authority records' && error = 'dns error no name with aa'."
When you take a peek at it, try to look at lower volumes of data such as 'last hour' or 'last 3 hours' since DNS usually has a ton of traffic. The reason for this is because DGA domains often only hit a few times on one domain but hit thousands in a few hours keeping their numbers relatively low. Once you do that, look at the Hostname Alias's top 5000 results and see if there is anything that pops out at you...
If you see something like this:
Then you found a DGA botnet.
There are many different types of DGA's so writing a rule to find them isn't the easiest thing.
Here are some examples:
www.xn--zalgo666463-sjgb60aighl2i8jc3b0a2a97ftbll0cza.com
www.xn--zalgo667796-sjgb60aighl2i8jc3b0a2a97ftbll0cza.com
www.xn--zalgo667874-sjgb60aighl2i8jc3b0a2a97ftbll0cza.com
qpohozvspp
qqjzlsajis
qqnucaacew
qrpgowkzvy
qsjeqgklbe
qibinbef.biz
qiwou.biz
qlpgscg.net
And the list can go on...
From here, you can figure out how to write some correlation rules and other fun things.
Jonathan Tomek
