Open lucaderi opened 11 months ago
@lucaderi
Can you please explain bit more about this issue to figure out the possible fix. Thx.
@mmanoj, for HTTP traffic we already try to detect DGA for hostnames; I think @lucaderi would like to check the filename part of the URL, too. Example: for "202.22.141.45/9E4lXP65j9LF9Y7R/" the hostname is "202.22.141.45" while the path/filename is "9E4lXP65j9LF9Y7R"
I think this issue is about checking if "9E4lXP65j9LF9Y7R" is a DGA
These are examples of these issues that need to be detected by nDPI
202.22.141.45/9E4lXP65j9LF9Y7R/ 62.210.90.75:443/G9xxDpgI75/ http://80.87.201.221:7080/pIXPXFus4dL9VHy/Ae4QuOOcWqMiS6t/PR8Ag6INSGfX0v/P4eGV/jBuvXE/J7W3n4va8quznD/
Use the enclosed file for testing
2020-09-30-Emotet-infection-with-Trickbot.pcap.zip