How Do I Read This?

Started by spetrillo, August 30, 2025, 08:50:21 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 30, 2025, 08:50:21 PM
Hello all,

Suricata is throwing up some alerts that I think are ok but I am not sure. Is this ok??

Content match Service Suricata_alert

        Date:        Sat, 30 Aug 2025 14:41:04
        Action:      alert
        Host:        opnsfwpr01.petrillo.home
        Description: content match:
{"timestamp":"2025-08-30T14:39:03.101552-0400","flow_id":2125015740515061,"in_iface":"igb3^","event_type":"alert","src_ip":"172.16.2.2","src_port":31511,"dest_ip":"185.136.96.98","dest_port":53,"proto":"UDP","pkt_src":"wire/pcap","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2027758,"rev":5,"signature":"ET DNS Query for .cc TLD","category":"Potentially Bad Traffic","severity":2,"metadata":{"affected_product":["Any"],"attack_target":["Client_Endpoint"],"confidence":["High"],"created_at":["201
...
August 30, 2025, 08:54:12 PM #1
Goes to show why I do not use Suricata: Just because you query a .CC domains does not neccessarily mean there is something wrong.

If I needed a new hobby to fill my days, I would turn to selecting and fine-tuning all of those rules... ;-)
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
September 30, 2025, 03:37:39 AM #2 Last Edit: September 30, 2025, 03:55:17 AM by someone
No its not good, I would set that rule up to drop if not already done.
That telling you you are using bad guys DNS servers , there are many TLD servers
Best to reinstall opnsense
Your DNS settings need set up, Under system settings> general> set your dns servers, like 8.8.8.8 and 8.8.4.4 to start
In the box select wan ipv4
Check use IPV4 even if IPV6 available
uncheck box allow dns to be overiden
check under unbound flush dns on restart
If it keeps up
If your behind another router, an ISP router which is what usually causes this
Or wrong opnsense settings and clicking on something in the browser
reset the ISP router and try again
If it keeps up still they may have rewritten that ISP routers firmware
They did it to mine
Would need to run tcpdump and check dns
All else ask ISP for another ISP router if your using one, because that one has been compromised permanently
They should be able to check it by running packet scans, no other way to tell its broken
Print
Go Up Pages1
User actions