Started noticing suricata alerts based on this ET.
Code: Select all
ET DNS Query for .su TLD (Soviet Union) Often Malware RelatedCode: Select all
network.data.decoded .............ns2.magicgenericmart.su.....Code: Select all
(..5.?._X..............ns2.magicgenericmart.su..............W.".ns1...admin..w..@...X......u.....Is there a better way in dealing with this in CSF?
What was also observed is that this FQDN is an alias that forwarded to a different IP and host in Poland and then 24hrs later it now points to a provider in Russia (89.222.128.42) - NET Block oddity is in June of 2020 this block was 89.222.128.0/17 and today we see it has been downsized 89.222.128.0/22. We've since updated our infrastructure but still not clear as to why the csf.dyndns was not catching this.
~b10