Jump to content

ET TROJAN DNS Reply Sinkhole - Anubis - 195.22.26.192/26

jagdtigger
By jagdtigger
in Networking
 Share
Posted (edited)

So im fiddling around with suricata after resolving my little issue with subnets and this entry keeps popping up in the log WAN side:

Quote

ET TROJAN DNS Reply Sinkhole - Anubis - 195.22.26.192/26

"Great, now i have to hunt for this...." Enabled suricata on LAN too and let it run for a while. As i expected the entry popped up again in the WAN log,  but no trace of it in the LAN log.... O.o

 

Mostly my address is the destination, but there was a few times where i seen 3 alert in sequence: one with my ip as destination, then one with my ip as a source, and again one with my ip as destination. This is what puzzle's me. If its not originating from my LAN then why there is a outbound alert? Nothing is exposed from my router(pfsense) to the internet so i dont think it could be compromised.....

 

Yeah i know it could a false positive but it wouldnt hurt to look into it. Any suggestions what should i do next?  (packet capture on port 53 is on the agenda already)

 

/Update

This could be a false positive. Ran a packet capture on the LAN side on port 53 and let it run for a while. I noticed two more anubis sinkhole warnings in the suricata log at 9:21:13, but no suspicious DNS query on the LAN side:

https://www.dropbox.com/s/fvfdpqcccvzx6x6/Screenshot_2019-07-05_10-03-12.png?dl=0

Edited by jagdtigger
Link to comment
Share on other sites
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing Networking

×