F5F Stay Refreshed Power Users Networks ET Trojan DNS Reply Sinkhole - Anubis - 195.22.26.192/26

ET Trojan DNS Reply Sinkhole - Anubis - 195.22.26.192/26

ET Trojan DNS Reply Sinkhole - Anubis - 195.22.26.192/26

T
tiago115
Member
Find
59
05-02-2023, 04:05 PM
#1
I'm testing Suricata after fixing my subnet issue. This log keeps showing up on the WAN side: "Great, now I have to hunt for this..." I also enabled it on the LAN and let it run. As expected, the entry appeared again on the WAN log but not in the LAN log. Mostly my IP is the destination, though I've seen three alerts in sequence—one with my IP as destination, then source, then destination again. This is confusing. If it's not coming from my LAN, why are there outbound alerts? My router (PFSense) doesn't expose anything to the internet, so it seems unlikely it's compromised. I know it could be a false positive, but it would be wise to investigate further. Any advice on next steps? Packet capture on port 53 is on the agenda already.
Reply
Reply
T
tiago115
05-02-2023, 04:05 PM #1

I'm testing Suricata after fixing my subnet issue. This log keeps showing up on the WAN side: "Great, now I have to hunt for this..." I also enabled it on the LAN and let it run. As expected, the entry appeared again on the WAN log but not in the LAN log. Mostly my IP is the destination, though I've seen three alerts in sequence—one with my IP as destination, then source, then destination again. This is confusing. If it's not coming from my LAN, why are there outbound alerts? My router (PFSense) doesn't expose anything to the internet, so it seems unlikely it's compromised. I know it could be a false positive, but it would be wise to investigate further. Any advice on next steps? Packet capture on port 53 is on the agenda already.

Reply
Reply