How Do I Read This?

[spetrillo]

Hello all,

Suricata is throwing up some alerts that I think are ok but I am not sure. Is this ok??

Content match Service Suricata_alert

        Date:        Sat, 30 Aug 2025 14:41:04
        Action:      alert
        Host:        opnsfwpr01.petrillo.home
        Description: content match:
{"timestamp":"2025-08-30T14:39:03.101552-0400","flow_id":2125015740515061,"in_iface":"igb3^","event_type":"alert","src_ip":"172.16.2.2","src_port":31511,"dest_ip":"185.136.96.98","dest_port":53,"proto":"UDP","pkt_src":"wire/pcap","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2027758,"rev":5,"signature":"ET DNS Query for .cc TLD","category":"Potentially Bad Traffic","severity":2,"metadata":{"affected_product":["Any"],"attack_target":["Client_Endpoint"],"confidence":["High"],"created_at":["201
...

[meyergru]

Goes to show why I do not use Suricata: Just because you query a .CC domains does not neccessarily mean there is something wrong.

If I needed a new hobby to fill my days, I would turn to selecting and fine-tuning all of those rules... ;-)

[someone]

No its not good, I would set that rule up to drop if not already done.
That telling you you are using bad guys DNS servers , there are many TLD servers
Best to reinstall opnsense
Your DNS settings need set up, Under system settings> general> set your dns servers, like 8.8.8.8 and 8.8.4.4 to start
In the box select wan ipv4
Check use IPV4 even if IPV6 available
uncheck box allow dns to be overiden
check under unbound flush dns on restart
If it keeps up
If your behind another router, an ISP router which is what usually causes this
Or wrong opnsense settings and clicking on something in the browser
reset the ISP router and try again
If it keeps up still they may have rewritten that ISP routers firmware
They did it to mine
Would need to run tcpdump and check dns
All else ask ISP for another ISP router if your using one, because that one has been compromised permanently
They should be able to check it by running packet scans, no other way to tell its broken

[spidysense]

Suricata is throwing up some alerts that I think are ok but I am not sure. Is this ok??

Content match Service Suricata_alert

        Date:        Sat, 30 Aug 2025 14:41:04
        Action:      alert
        Host:        opnsfwpr01.petrillo.home
        Description: content match:
{"timestamp":"2025-08-30T14:39:03.101552-0400","flow_id":2125015740515061,"in_iface":"igb3^","event_type":"alert","src_ip":"172.16.2.2","src_port":31511,"dest_ip":"185.136.96.98","dest_port":53,"proto":"UDP","pkt_src":"wire/pcap","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2027758,"rev":5,"signature":"ET DNS Query for .cc TLD","category":"Potentially Bad Traffic","severity":2,"metadata":{"affected_product":["Any"],"attack_target":["Client_Endpoint"],"confidence":["High"],"created_at":["201
...

The Suricata alert indicates a network event captured on August 30, 2025, at 14:39:03 EDT, with the following details:

Timestamp: 2025-08-30T14:39:03.101552-0400
Flow ID: 2125015740515061 (unique identifier for the network flow)
Interface: igb3^ (network interface where traffic was captured)
Event Type: Alert (triggered by Suricata's intrusion detection system)
Source IP/Port: 172.16.2.2:31511 (private IP, likely internal network device)
Destination IP/Port: 185.136.96.98:53 (public IP, port 53 used for DNS)
Protocol: UDP (typical for DNS queries)
Packet Source: wire/pcap (captured from live network traffic or pcap file)
Transaction ID: 0 (tx_id for the specific transaction in the flow)

Alert Details:

Action: Allowed (traffic was not blocked)
GID: 1 (group ID for the rule)
Signature ID: 2027758 (unique ID for the rule triggered)
Revision: 5 (rule version)
Signature: ET DNS Query for .cc TLD (Emerging Threats rule for DNS query to .cc top-level domain)
Category: Potentially Bad Traffic (indicates suspicious but not necessarily malicious activity)
Severity: 2 (moderate severity, on a scale where 1 is critical, 3 is low)

Metadata:

Affected Product: Any (applies to any system)
Attack Target: Client_Endpoint (likely targeting a client device)
Confidence: High (high confidence in the rule's accuracy)
Created At: 2013 (rule creation date)

Summary: The alert was triggered by a DNS query from 172.16.2.2 to 185.136.96.98 for a .cc domain, flagged as potentially suspicious by Suricata's Emerging Threats ruleset. The .cc TLD is sometimes associated with malicious activity, but the traffic was allowed. Further investigation into the destination IP and domain context is recommended to assess risk. If you check out what this host has been reported for causing it to be flagged, you can look here. I like to use AbuseIPDB for further IP/host investigation.

[spetrillo]

Suricata is throwing up some alerts that I think are ok but I am not sure. Is this ok??

Content match Service Suricata_alert

        Date:        Sat, 30 Aug 2025 14:41:04
        Action:      alert
        Host:        opnsfwpr01.petrillo.home
        Description: content match:
{"timestamp":"2025-08-30T14:39:03.101552-0400","flow_id":2125015740515061,"in_iface":"igb3^","event_type":"alert","src_ip":"172.16.2.2","src_port":31511,"dest_ip":"185.136.96.98","dest_port":53,"proto":"UDP","pkt_src":"wire/pcap","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2027758,"rev":5,"signature":"ET DNS Query for .cc TLD","category":"Potentially Bad Traffic","severity":2,"metadata":{"affected_product":["Any"],"attack_target":["Client_Endpoint"],"confidence":["High"],"created_at":["201
...

The Suricata alert indicates a network event captured on August 30, 2025, at 14:39:03 EDT, with the following details:

Timestamp: 2025-08-30T14:39:03.101552-0400
Flow ID: 2125015740515061 (unique identifier for the network flow)
Interface: igb3^ (network interface where traffic was captured)
Event Type: Alert (triggered by Suricata's intrusion detection system)
Source IP/Port: 172.16.2.2:31511 (private IP, likely internal network device)
Destination IP/Port: 185.136.96.98:53 (public IP, port 53 used for DNS)
Protocol: UDP (typical for DNS queries)
Packet Source: wire/pcap (captured from live network traffic or pcap file)
Transaction ID: 0 (tx_id for the specific transaction in the flow)

Alert Details:

Action: Allowed (traffic was not blocked)
GID: 1 (group ID for the rule)
Signature ID: 2027758 (unique ID for the rule triggered)
Revision: 5 (rule version)
Signature: ET DNS Query for .cc TLD (Emerging Threats rule for DNS query to .cc top-level domain)
Category: Potentially Bad Traffic (indicates suspicious but not necessarily malicious activity)
Severity: 2 (moderate severity, on a scale where 1 is critical, 3 is low)

Metadata:

Affected Product: Any (applies to any system)
Attack Target: Client_Endpoint (likely targeting a client device)
Confidence: High (high confidence in the rule's accuracy)
Created At: 2013 (rule creation date)

Summary: The alert was triggered by a DNS query from 172.16.2.2 to 185.136.96.98 for a .cc domain, flagged as potentially suspicious by Suricata's Emerging Threats ruleset. The .cc TLD is sometimes associated with malicious activity, but the traffic was allowed. Further investigation into the destination IP and domain context is recommended to assess risk. If you check out what this host has been reported for causing it to be flagged, you can look here. I like to use AbuseIPDB for further IP/host investigation.

Thank you for clarifying this!

[someone]

No its not ok, no TLD server is ok... they are listed as bad guys... you can search rules for TLD and see block rules for TLD dns servers
Set up your Unbound dns, its easy, put 8.8.8.8 and 8.8.4.4 in system>settings>general in the dns boxes, click apply
Connect to the internet, then select the IPV4 gateway, it wont say 6 in it, click apply again
If you have a router in front, do a hard reset on it, before going online, push the button in back for 30 seconds
Reply back if it persists,
Do you know how to reinstall opnsense
hopefully this fixes it
Ive been through it
They come through the browser, no password required
Or they corrupted your modem, sometimes it can be permanent for them, they can change the firmware, reset it, try that first
What operating system and what browser, see below

Additional settings opnsense
Under system>settings>general
check do not use local dns
Make sure you unchecked  ... allow dns settings to be overidden by ISP
Under Unbound>general check flush dns on reload

 If you use firefox change some settings, why, it will fight with unbound
clear all browser history, make sure everything is selected

Under firefox settings Home
uncheck shortcuts and support firefox

Under privacy and security
Uncheck everything under passwords, and under autofill

under HTTPS Only Mode
Change to enable HTTPS-Only in all windows

Under DNS over HTTPS
Change to OFF
So it will use opnsense dns servers

[someone]

Spidysense

It should have been blocked
why
thats not just a dns query, its a connection, they are in your system
Its a two way street
It could be a misfire where nothing happened
or it could be they planted a door and or a beacon they can open anytime from a different IP
So blocking that dns IP alone would not stop them
Hope you have something to monitor and protect endpoints and check logs and connections
Would need to retrace that pcap file to maybe find the culprit such as why your dns failed
could be many things
what sent you to the bad guys