Hello all,
Suricata is throwing up some alerts that I think are ok but I am not sure. Is this ok??
Content match Service Suricata_alert
Date: Sat, 30 Aug 2025 14:41:04
Action: alert
Host: opnsfwpr01.petrillo.home
Description: content match:
{"timestamp":"2025-08-30T14:39:03.101552-0400","flow_id":2125015740515061,"in_iface":"igb3^","event_type":"alert","src_ip":"172.16.2.2","src_port":31511,"dest_ip":"185.136.96.98","dest_port":53,"proto":"UDP","pkt_src":"wire/pcap","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2027758,"rev":5,"signature":"ET DNS Query for .cc TLD","category":"Potentially Bad Traffic","severity":2,"metadata":{"affected_product":["Any"],"attack_target":["Client_Endpoint"],"confidence":["High"],"created_at":["201
...
Goes to show why I do not use Suricata: Just because you query a .CC domains does not neccessarily mean there is something wrong.
If I needed a new hobby to fill my days, I would turn to selecting and fine-tuning all of those rules... ;-)