[Oisf-users] What is this rule telling me?
Chris Wakelin
cwakelin at emergingthreats.net
Sat Dec 9 20:40:54 UTC 2017
8.8.8.8 is just Google's public DNS resolver and is fine (unless your
company policy, say, prevents using an external DNS provider).
What this rule means is that something on your network made a DNS
request for an address with ".no-ip." in the domain name.
Like many free/cheap DNS providers they are frequently used by malware
for download and command-and-control, but may also have legitimate
traffic, hence the "INFO" tag.
You could look in the dns.log file (if you have it enabled) or eve JSON
logs to find the actual DNS request and what it resolved to.
Best Wishes,
Chris
On 09/12/17 19:52, James Moe wrote:
>
> suricata 4.0.1
> linux 4.4.92-31-default x86_64
>
> I have been seeing these in the logs recently:
>
> 12/09/2017-08:41:47.525192 [**] [1:2013743:4] ET INFO DYNAMIC_DNS Query
> to a Suspicious no-ip Domain [**] [Classification: Potentially Bad
> Traffic] [Priority: 2] {UDP} 192.168.69.246:54142 -> 8.8.8.8:53
>
> Oddly this was not logged in <alert-debug.log>.
>
> Is <8.8.8.8> considered bad?
>
> {"timestamp":"2017-12-09T08:41:47.525192-0700","flow_id":301294174274440,"event_type":"alert","src_ip":"192.168.69.246","src_port":54142,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2013743,"rev":4,"signature":"ET
> INFO DYNAMIC_DNS Query to a Suspicious no-ip
> Domain","category":"Potentially Bad
> Traffic","severity":2},"app_proto":"dns"}
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
>
More information about the Oisf-users
mailing list