NF – Bad TLD domain – report DNS query – Check domains
This alert is triggered when a DNS query from the internal network attempts to resolve a domain ending in .report. This domain ending is sometimes linked to suspicious or malicious activities.
ID Number
5017809
Signature
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"NF - Bad TLD domain - report DNS query - Check domains"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|report|00|"; fast_pattern; nocase; distance:0; reference:url,networkforensic.dk; metadata:22092016; classtype:bad-unknown; sid:5017809; rev:2;)
Severity
Low
Recommendations/Investigative actions
Identify which device initiated the DNS request to determine if it’s expected or unauthorized.
Check if the queried domain is malicious.
Investigate the initiating device for signs of phishing, malware, or other suspicious activities.
Block further DNS requests if the domains are unnecessary