Determine DGAs in cloud-dns and set to be enriched later

PaloAltoNetworks / SafeNetworking

Read only mirror. To contribute or submit issues, please go to the website link --->

https://gitlab.com/panw-gse/as/SafeNetworking/

Apache License 2.0

12 stars 10 forks source link

Determine DGAs in cloud-dns and set to be enriched later #78

Closed punisherVX closed 5 years ago

punisherVX commented 5 years ago

With 9.0 cloud-dns on, the NGFW sends a LOT of DGAs that, while they could be of interest, they use too many points and take too long to lookup. This pushes back the primary and secondary known domains from being looked up and SFN/AF can never catch up.

The need is to classify these differently at ingest time and run against them only if the system runs out of primary and secondary, known domains to run against.

zube[bot] commented 5 years ago

sdndude said: This is fixed in a271936

Identified both DGA (109000001) and DNS Tunneling (109001001) log messages and set SFN.processed to 21. This allows them to be picked up at a later time so we can process known, bad domains first.