NF – TLD domain – .ru DNS query
This alert is triggered when a DNS query from the internal network attempts to resolve a domain ending in .ru (Russia).
ID Number
5017802
Signature
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"NF - TLD domain - .ru DNS query"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|RU|00|"; fast_pattern; nocase; distance:0; reference:url,networkforensic.dk meadata:20042015; classtype:bad-unknown; sid:5017802; rev:4;)
Severity
Medium
Recommendations/Investigative actions
Identify which device made the DNS request to assess if it’s expected or potentially unauthorized.
Consider blocking further queries to .ru domains.
Investigate the device that initiated the query for signs of phishing, malware, or other suspicious behavior.