csf.dyndns Not Catching FQDN

Post Reply
bayden10
Junior Member
Posts: 4
Joined: 10 Mar 2019, 23:15

csf.dyndns Not Catching FQDN

Post by bayden10 »

Hi,

Started noticing suricata alerts based on this ET.

Code: Select all

ET DNS Query for .su TLD (Soviet Union) Often Malware Related

Code: Select all

network.data.decoded	.............ns2.magicgenericmart.su.....
UDP traffic

Code: Select all

(..5.?._X..............ns2.magicgenericmart.su..............W.".ns1...admin..w..@...X......u.....
Exploring tcpdump to pcap gives an indication that it still hits the cPanel host even though /etc/csf/csf.dyndns has the FQDN.
Is there a better way in dealing with this in CSF?

What was also observed is that this FQDN is an alias that forwarded to a different IP and host in Poland and then 24hrs later it now points to a provider in Russia (89.222.128.42) - NET Block oddity is in June of 2020 this block was 89.222.128.0/17 and today we see it has been downsized 89.222.128.0/22. We've since updated our infrastructure but still not clear as to why the csf.dyndns was not catching this.

~b10
Post Reply