[Oisf-users] What is this rule telling me?
James Moe
jimoe at sohnen-moe.com
Sat Dec 9 19:52:17 UTC 2017
suricata 4.0.1
linux 4.4.92-31-default x86_64
I have been seeing these in the logs recently:
12/09/2017-08:41:47.525192 [**] [1:2013743:4] ET INFO DYNAMIC_DNS Query
to a Suspicious no-ip Domain [**] [Classification: Potentially Bad
Traffic] [Priority: 2] {UDP} 192.168.69.246:54142 -> 8.8.8.8:53
Oddly this was not logged in <alert-debug.log>.
Is <8.8.8.8> considered bad?
{"timestamp":"2017-12-09T08:41:47.525192-0700","flow_id":301294174274440,"event_type":"alert","src_ip":"192.168.69.246","src_port":54142,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2013743,"rev":4,"signature":"ET
INFO DYNAMIC_DNS Query to a Suspicious no-ip
Domain","category":"Potentially Bad
Traffic","severity":2},"app_proto":"dns"}
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171209/61b12325/attachment.sig>
More information about the Oisf-users
mailing list