-
Notifications
You must be signed in to change notification settings - Fork 11
Filter DGA
frikilax edited this page May 12, 2020
·
4 revisions
The DGA filter aims to detect Domain Generation Algorithms used mainly for command and control
0x64676164
- faup, 1.5_1 or above
- tensorflow (c++ libs, static or shared), 1.13 (FreeBSD package provided in Vulture Repository)
Example of darwin configuration for this filter :
{
"dga_1": {
"exec_path": "/path/to/darwin/build/darwin_dga",
"config_file":"/path/to/filter.conf",
"output": "LOG",
"next_filter": "",
"nb_thread": 1,
"log_level": "WARNING",
"cache_size": 1000
}
}- token_map_path : full path to the .csv file making the correspondence between the characters found in the domain and a token
- model_path : full path to the .pb file representing the IA model (Tensorflow model)
- max_tokens (optional) : max number of tokens to take into account when tokenizing domain name (see token_map_path)
- redis_socket_path (optional) : the redis in which the filter will stock the data
- alert_redis_list_name (optional) : the key under which the filter will stock the raised alerts in the redis
- alert_redis_channel_name (optional) : the redis channel in which the raised alerts will be publish
- log_file_path (optional) : the path in which the filter will write raised alerts
Example :
{
"model_path": "/home/darwin/conf/fdga/model.pb",
"token_map_path": "/home/darwin/conf/fdga/tokens.csv",
"max_tokens": 150,
"redis_socket_path": "/var/sockets/redis/redis.sock",
"alert_redis_list_name": "darwin_alerts",
"alert_redis_channel_name": "darwin.alerts",
"log_file_path": "/var/log/darwin/alerts.log"
}[
["<domain1>"],
["<domain2>"],
...
]
Here is an example of a body:
[
["intgmxdeadnxuyla.com"],
["google.com"],
["www.advens.fr"]
]if output is set to LOGS:
{"evt_id": <uuid>, "time": "<ISO8601>", "filter": "dga", "domain": "<domain>", "dga_prob": <certitude>}