<div dir="ltr"><div><div>
Hi all,<br>
<br>
I am seeing a strange behavior with rules 2011410 and 2012956. When I try:<br>
<br>
> <a href="http://alberta.cz.cc" rel="noreferrer" target="_blank">alberta.cz.cc</a><br>
Server: 127.0.0.1<br>
Address: 127.0.0.1#53<br>
<br>
Non-authoritative answer:<br>
<a href="http://alberta.cz.cc" rel="noreferrer" target="_blank">alberta.cz.cc</a> canonical name = <a href="http://pk.22.cn" rel="noreferrer" target="_blank">pk.22.cn</a>.<br>
Name: <a href="http://pk.22.cn" rel="noreferrer" target="_blank">pk.22.cn</a><br>
Address: 0.0.0.0<br>
<br>
... no alert is triggered. But when I try:<br>
<br>
> <a href="http://alberta.co.tv" rel="noreferrer" target="_blank">alberta.co.tv</a><br>
Server: 127.0.0.1<br>
Address: 127.0.0.1#53<br>
<br>
** server can't find <a href="http://alberta.co.tv" rel="noreferrer" target="_blank">alberta.co.tv</a>: NXDOMAIN<br>
<br>
alert is triggered:<br>
<br>
04/04/2018-18:20:58.297010 [**] [1:2012956:4] ET DNS DNS Query for a Suspicious *.<a href="http://co.tv" rel="noreferrer" target="_blank">co.tv</a> domain [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} <a href="http://172.22.55.1:25327" rel="noreferrer" target="_blank">172.22.55.1:25327</a> -> <a href="http://172.22.54.4:53" rel="noreferrer" target="_blank">172.22.54.4:53</a><br>
04/04/2018-18:20:59.321374 [**] [1:2012956:4] ET DNS DNS Query for a Suspicious *.<a href="http://co.tv" rel="noreferrer" target="_blank">co.tv</a> domain [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} <a href="http://172.22.55.1:43946" rel="noreferrer" target="_blank">172.22.55.1:43946</a> -> <a href="http://172.22.54.4:53" rel="noreferrer" target="_blank">172.22.54.4:53</a><br>
04/04/2018-18:21:00.352213 [**] [1:2012956:4] ET DNS DNS Query for a Suspicious *.<a href="http://co.tv" rel="noreferrer" target="_blank">co.tv</a> domain [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} <a href="http://172.22.55.1:37370" rel="noreferrer" target="_blank">172.22.55.1:37370</a> -> <a href="http://172.22.54.4:53" rel="noreferrer" target="_blank">172.22.54.4:53</a><br>
04/04/2018-18:21:02.392962 [**] [1:2012956:4] ET DNS DNS Query for a Suspicious *.<a href="http://co.tv" rel="noreferrer" target="_blank">co.tv</a> domain [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} <a href="http://172.22.55.1:38905" rel="noreferrer" target="_blank">172.22.55.1:38905</a> -> <a href="http://172.22.54.4:53" rel="noreferrer" target="_blank">172.22.54.4:53</a><br>
04/04/2018-18:21:04.433926 [**] [1:2012956:4] ET DNS DNS Query for a Suspicious *.<a href="http://co.tv" rel="noreferrer" target="_blank">co.tv</a> domain [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} <a href="http://172.22.55.1:23993" rel="noreferrer" target="_blank">172.22.55.1:23993</a> -> <a href="http://172.22.54.4:53" rel="noreferrer" target="_blank">172.22.54.4:53</a><br>
<br>
Why?? Both rules are defined equally:<br>
<br>
alert dns $HOME_NET any -> any any (msg:"ET DNS DNS Query for
Suspicious .cz.cc Domain"; dns_query; content:".cz.cc";
isdataat:!1,relative; nocase; reference:url,<a href="http://sign.kaffenews.com/?p=104" rel="noreferrer" target="_blank">sign.kaffenews.<wbr>com/?p=104</a>; classtype:bad-unknown; sid:2011410; rev:4; metadata:created_at 2010_09_27, updated_at 2010_09_27;)<br>
<br>
alert dns $HOME_NET any -> any any (msg:"ET DNS DNS Query for a Suspicious *.<a href="http://co.tv" rel="noreferrer" target="_blank">co.tv</a> domain"; dns_query; content:".<a href="http://co.tv" rel="noreferrer" target="_blank">co.tv</a>";
nocase; isdataat:!1,relative; classtype:bad-unknown; sid:2012956;
rev:4; metadata:created_at 2011_06_08, updated_at 2011_06_08;)
<br><br></div> I am using Suricata 4.0.4 under FreeBSD 11.1.<br><br></div>Thanks.<br></div>