NF – TLD domain – .su DNS quer
This alert is triggered when a DNS query from the internal network attempts to resolve a domain ending in .su (Soviet Union). The .su domain remains in use today and is less regulated, making it attractive to hackers, scammers, and cybercriminals.
ID Number
5017801
Signature
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"NF - TLD domain - .su DNS quer"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|SU|00|"; fast_pattern; nocase; distance:0; reference:url,networkforensic.dk meadata:20042015; classtype:bad-unknown; sid:5017801; rev:4;)
Severity
High
Recommendations/Investigative actions
Identify which device made the DNS request to assess if it’s expected or potentially unauthorized.
Block further queries to .su domains.
Investigate the device that initiated the query for signs of phishing, malware, or other suspicious behavior.