Suspicious DGA and file transfer - exclude domain and file names

[martinscheu]

Hello ntop Team! The two alerts suspicious DGA domain and file transfer are very noisy. To reduce false positives alerts, it would be helpfull to exclude domains in the DGA alert, including the possibility of wildcards * examples:

• www.msftconnecttest.com or sls.emea.update.microsoft.com.akadns.net : exclude full domain
• 6zhk7beey4aio3ml.a.e.e5.sk : exclude tld e5.sk with *e5.sk Suspicious file transfer:
• http://pico.eset.com/pico/1/115808.pic : http://pico.eset.com/*
• http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?6bd0ebecf758b9a4 : http://ctldl.windowsupdate.com/*
• http://172.3.13.9:2221/file895.txt : http://172.3.13.9:2221/file895.txt thank you

[lucaderi]

I have update nDPI to take into account most of the requests you have made. The only one that is not handled is *e5.sk at nDPI level. You can exclude hosts in ntopng from triggering alerts but this is not the same as the above request. What do you think?

[martinscheu]

issue is, that e5.sk is the antivirus, I would need to exclude all hosts, means the alert doesn't help me. and sub domain is not static. but half good solution would be to be able besides hosts IPs to exclude domains.

[lazyandproud]

If thats hardcoded, maybe it's a good idea to also add the Antimalware Updates an Exchange Server 2016 > CU4 pulls constantly. It's annoying ;)

As far as I found out so far it's amupdatedl.microsoft.com and amupdatedl[1-9].microsoft.com

ref from ms: https://social.technet.microsoft.com/Forums/office/en-US/c3d71596-8ea9-479d-8f09-4d07cbc6ff2b/antimalware-updates-fipfs-produce-huge-network-traffic-ex-2016-cu5-cu3?forum=Exch2016SD

[lucaderi]

Please see https://www.ntop.org/ndpi/howto-define-ndpi-risk-exceptions-for-networks-and-domains/

[lucaderi]

Fixed by https://github.com/ntop/nDPI/commit/6679453d8601b7116534558097aaffc2bda14963