NF – Punycode COM ore DK domain used in certicifate
This alert is triggered when a DNS query from the internal network attempts to resolve a Punycode domain ending in .com or .dk. Punycode encoding is used in internationalized domain names, but it can also be exploited in phishing attacks by creating visually similar domains
ID Number
5023352
Signature
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"NF - Punycode COM ore DK domain used in certicifate"; flow:to_server,established; ssl_state:client_hello; pcre:"/xn--[a-z0-9\-]{1,256}(.com|.dk)/i"; reference:url,www.xudongz.com/blog/2017/idn-phishing; reference:url,networkforensic.dk; metadata:18042017; classtype:bad-unknown; sid:5023352; rev:1;)
Severity
Low
Recommendations/Investigative actions
Investigate the source of communication: Identify the device or process that initiated this connection, as it may indicate unauthorized activity.
Block the connection: Prevent further communication with the detected domain, especially if Punycode domains are unnecessary in this network.
Inspect the device for potential phishing or malware: Check for signs of compromise on the device that attempted the connection, as it may have interacted with a phishing site.