GuardDuty Alert whilst running AIL

[Phil-ThePower-Pearce]

Hi Ive have an ec2 instance, with a locked down security group, only office IPs allowed in.

AWS Guard Duty is reporting the following:

"title": "DGA domain name queried by EC2 instance i-05fxxxxxxxxxb6c.",
"description": "EC2 instance i-05fxxxxxxxxxb6c is querying algorithmically generated domains. Such domains are commonly used by malware and could be an indication of a compromised EC2 instance."

What could ail be doing that would trigger this alert? Crawlers are not enabled, and my feeds come directly from CIRCL.

[adulau]

Thank you very much for the reporting.

I'm the author of the Python library DomainClassifier which is basically triggering this "wonderful advanced heuristics" from Amazon. DomainClassifier library is basically enumerating all potential domains/hostnames from list of terms seen in the items received. It's useful to detect potential location of an item based on the domains/hostnames resolved but also to feed Passive DNS database.

It would be interesting to reach out to the security team of AWS (and especially the one in charge of AWS Guard Duty) to propose the following:

• The ability to understand the heuristic (e.g. entropy based on domain, too many NXDOMAINS) used behind. Maybe the customer of the AWS service can change the parameters in the heuristic to reduce the false-positive rate.

or

• Disable the DGA detection functionality.

or

• Tunnel the DNS request towards another DNS which cannot be seen by AWS Guard Duty.

or

• Disable the DomainClassifier module if you don't need it.

I hope this helps.

[Phil-ThePower-Pearce]

Thanks for explaining, I can supress the filter for this instance and that alert