{"report_id":"873373f8-25d9-4b19-84c3-ef76fe0e650b","version":6,"status":"done","tags":["dyndns"],"date":"2023-11-27T21:20:07Z","url":{"schema":"http","addr":"ksm5sksm5sksm5s.zzux.com/","fqdn":"ksm5sksm5sksm5s.zzux.com","domain":"zzux.com","tld":"com"},"ip":{"addr":"192.169.7.221","port":0,"asn":8100,"as":"ASN-QUADRANET-GLOBAL","country":"United States","country_code":"US"},"final":{"url":{"schema":"http","addr":"ksm5sksm5sksm5s.zzux.com/","fqdn":"ksm5sksm5sksm5s.zzux.com","domain":"zzux.com","tld":"com"},"title":"Home"},"submit":{"url":{"schema":"","addr":"","fqdn":"","domain":"","tld":""},"ip":{"addr":"","port":0,"asn":0,"as":"","country":"","country_code":""},"tags":null,"meta":null},"settings":{"access":"public","device_type":"desktop","expires_at":"2026-10-26T10:25:36Z","useragent":"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0","referer":"","cookies":null,"exit_node":"default"},"stats":{"alert_count":{"ids":0,"urlquery":0,"analyzer":0}},"detection":{"ids":null,"analyzer":null,"urlquery":null},"summary":[{"fqdn":"ksm5sksm5sksm5s.zzux.com","ip":{"addr":"192.169.7.221","port":80,"asn":8100,"as":"ASN-QUADRANET-GLOBAL","country":"United States","country_code":"US"},"domain_registered":"2000-11-15","domain_rank":0,"first_seen":"2015-06-11 17:14:23","last_seen":"2023-07-17 05:34:42","alert_count":6,"request_count":3,"received_data":81225,"sent_data":1159,"comment":"","tags":null,"fingerprints":null}],"files":null,"artifacts":{"windows_shortcuts":null,"files":null,"telegram":null,"pdfs":null,"clipboard":null},"sensors":{"ids":[{"sensor_name":"suricata","description":"Suricata /w Emerging Threats Pro","alerts":[{"sensor_name":"suricata","title":"","description":"","date":"2023-11-27T21:19:51Z","timestamp":1701119991,"ip_dst":{"addr":"Internal IP","port":53,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":57513,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO Observed DNS Query to DDNS Domain .zzux .com","source":"{\"timestamp\":\"2023-11-27T21:19:51.353582+0000\",\"flow_id\":1477483915863342,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.78\",\"src_port\":57513,\"dest_ip\":\"10.70.215.1\",\"dest_port\":53,\"proto\":\"UDP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2033122,\"rev\":1,\"signature\":\"ET INFO Observed DNS Query to DDNS Domain .zzux .com\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"created_at\":[\"2021_06_09\"],\"former_category\":[\"INFO\"],\"updated_at\":[\"2021_06_09\"]}},\"dns\":{\"query\":[{\"type\":\"query\",\"id\":37639,\"rrname\":\"ksm5sksm5sksm5s.zzux.com\",\"rrtype\":\"AAAA\",\"tx_id\":0}]},\"app_proto\":\"dns\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":95,\"bytes_toclient\":0,\"start\":\"2023-11-27T21:19:51.353582+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-11-27T21:19:51Z","timestamp":1701119991,"ip_dst":{"addr":"Internal IP","port":53,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":39269,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO Observed DNS Query to DDNS Domain .zzux .com","source":"{\"timestamp\":\"2023-11-27T21:19:51.353413+0000\",\"flow_id\":2191485721601157,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.78\",\"src_port\":39269,\"dest_ip\":\"10.70.215.1\",\"dest_port\":53,\"proto\":\"UDP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2033122,\"rev\":1,\"signature\":\"ET INFO Observed DNS Query to DDNS Domain .zzux .com\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"created_at\":[\"2021_06_09\"],\"former_category\":[\"INFO\"],\"updated_at\":[\"2021_06_09\"]}},\"dns\":{\"query\":[{\"type\":\"query\",\"id\":18373,\"rrname\":\"ksm5sksm5sksm5s.zzux.com\",\"rrtype\":\"A\",\"tx_id\":0}]},\"app_proto\":\"dns\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":95,\"bytes_toclient\":0,\"start\":\"2023-11-27T21:19:51.353413+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-11-27T21:19:51Z","timestamp":1701119991,"ip_dst":{"addr":"Internal IP","port":53,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":57513,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS Query to a *.zzux .com Domain","source":"{\"timestamp\":\"2023-11-27T21:19:51.353582+0000\",\"flow_id\":1477483915863342,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.78\",\"src_port\":57513,\"dest_ip\":\"10.70.215.1\",\"dest_port\":53,\"proto\":\"UDP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042727,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS Query to a *.zzux .com Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_13\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_13\"]}},\"dns\":{\"query\":[{\"type\":\"query\",\"id\":37639,\"rrname\":\"ksm5sksm5sksm5s.zzux.com\",\"rrtype\":\"AAAA\",\"tx_id\":0}]},\"app_proto\":\"dns\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":95,\"bytes_toclient\":0,\"start\":\"2023-11-27T21:19:51.353582+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-11-27T21:19:51Z","timestamp":1701119991,"ip_dst":{"addr":"Internal IP","port":53,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":39269,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS Query to a *.zzux .com Domain","source":"{\"timestamp\":\"2023-11-27T21:19:51.353413+0000\",\"flow_id\":2191485721601157,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.78\",\"src_port\":39269,\"dest_ip\":\"10.70.215.1\",\"dest_port\":53,\"proto\":\"UDP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042727,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS Query to a *.zzux .com Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_13\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_13\"]}},\"dns\":{\"query\":[{\"type\":\"query\",\"id\":18373,\"rrname\":\"ksm5sksm5sksm5s.zzux.com\",\"rrtype\":\"A\",\"tx_id\":0}]},\"app_proto\":\"dns\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":95,\"bytes_toclient\":0,\"start\":\"2023-11-27T21:19:51.353413+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-11-27T21:19:51Z","timestamp":1701119991,"ip_dst":{"addr":"Internal IP","port":53,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":33649,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO Observed DNS Query to DDNS Domain .zzux .com","source":"{\"timestamp\":\"2023-11-27T21:19:51.373783+0000\",\"flow_id\":2217717231663472,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.78\",\"src_port\":33649,\"dest_ip\":\"10.70.215.1\",\"dest_port\":53,\"proto\":\"UDP\",\"tx_id\":2,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2033122,\"rev\":1,\"signature\":\"ET INFO Observed DNS Query to DDNS Domain .zzux .com\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"created_at\":[\"2021_06_09\"],\"former_category\":[\"INFO\"],\"updated_at\":[\"2021_06_09\"]}},\"dns\":{\"query\":[{\"type\":\"query\",\"id\":14971,\"rrname\":\"ksm5sksm5sksm5s.zzux.com\",\"rrtype\":\"AAAA\",\"tx_id\":2}]},\"app_proto\":\"dns\",\"flow\":{\"pkts_toserver\":2,\"pkts_toclient\":1,\"bytes_toserver\":212,\"bytes_toclient\":117,\"start\":\"2023-11-27T21:19:10.473456+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-11-27T21:19:51Z","timestamp":1701119991,"ip_dst":{"addr":"Internal IP","port":53,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":33649,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS Query to a *.zzux .com Domain","source":"{\"timestamp\":\"2023-11-27T21:19:51.373783+0000\",\"flow_id\":2217717231663472,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.78\",\"src_port\":33649,\"dest_ip\":\"10.70.215.1\",\"dest_port\":53,\"proto\":\"UDP\",\"tx_id\":2,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042727,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS Query to a *.zzux .com Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_13\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_13\"]}},\"dns\":{\"query\":[{\"type\":\"query\",\"id\":14971,\"rrname\":\"ksm5sksm5sksm5s.zzux.com\",\"rrtype\":\"AAAA\",\"tx_id\":2}]},\"app_proto\":\"dns\",\"flow\":{\"pkts_toserver\":2,\"pkts_toclient\":1,\"bytes_toserver\":212,\"bytes_toclient\":117,\"start\":\"2023-11-27T21:19:10.473456+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-11-27T21:19:51Z","timestamp":1701119991,"ip_dst":{"addr":"Client IP","port":50754,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"192.169.7.221","port":443,"asn":8100,"as":"ASN-QUADRANET-GLOBAL","country":"United States","country_code":"US"},"severity":"high","alert":"ETPRO MALWARE DustySky SSL Certificate Detected","source":"{\"timestamp\":\"2023-11-27T21:19:51.738472+0000\",\"flow_id\":1784608437286579,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"192.169.7.221\",\"src_port\":443,\"dest_ip\":\"10.70.215.78\",\"dest_port\":50754,\"proto\":\"TCP\",\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2820566,\"rev\":2,\"signature\":\"ETPRO MALWARE DustySky SSL Certificate Detected\",\"category\":\"A Network Trojan was detected\",\"severity\":1,\"metadata\":{\"attack_target\":[\"Client_Endpoint\"],\"created_at\":[\"2016_06_10\"],\"deployment\":[\"Perimeter\"],\"signature_severity\":[\"Major\"],\"tag\":[\"SSL_Malicious_Cert\"],\"updated_at\":[\"2016_07_01\"]}},\"tls\":{\"subject\":\"C=--, ST=SomeState, L=SomeCity, O=SomeOrganization, OU=SomeOrganizationalUnit, CN=vps.server.com, Email=root@vps.server.com\",\"issuerdn\":\"C=--, ST=SomeState, L=SomeCity, O=SomeOrganization, OU=SomeOrganizationalUnit, CN=vps.server.com, Email=root@vps.server.com\",\"serial\":\"26:38\",\"fingerprint\":\"a6:e3:3f:a8:9e:f8:fa:ea:ae:d0:72:bc:a2:b3:a6:3c:be:b6:53:20\",\"sni\":\"ksm5sksm5sksm5s.zzux.com\",\"version\":\"TLS 1.2\",\"notbefore\":\"2023-11-07T08:55:33\",\"notafter\":\"2024-11-06T08:55:33\",\"ja3\":{\"hash\":\"0faf2a91198d40dbd58b9308f3fca2fd\",\"string\":\"771,4865-4867-4866-49195-49199-52393-52392-49196-49200-49171-49172-156-157-47-53,0-23-65281-10-11-16-5-34-51-43-13-28-65037,29-23-24-25-256-257,0\"},\"ja3s\":{\"hash\":\"303951d4c50efb2e991652225a6f02b1\",\"string\":\"771,49199,65281-11\"}},\"app_proto\":\"tls\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":4,\"bytes_toserver\":926,\"bytes_toclient\":1742,\"start\":\"2023-11-27T21:19:51.374451+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-11-27T21:19:51Z","timestamp":1701119991,"ip_dst":{"addr":"Client IP","port":50754,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"192.169.7.221","port":443,"asn":8100,"as":"ASN-QUADRANET-GLOBAL","country":"United States","country_code":"US"},"severity":"high","alert":"ET POLICY Self Signed SSL Certificate (SomeOrganizationalUnit)","source":"{\"timestamp\":\"2023-11-27T21:19:51.918783+0000\",\"flow_id\":1784608437286579,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"192.169.7.221\",\"src_port\":443,\"dest_ip\":\"10.70.215.78\",\"dest_port\":50754,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013659,\"rev\":6,\"signature\":\"ET POLICY Self Signed SSL Certificate (SomeOrganizationalUnit)\",\"category\":\"Potential Corporate Privacy Violation\",\"severity\":1,\"metadata\":{\"attack_target\":[\"Client_Endpoint\"],\"created_at\":[\"2011_09_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"POLICY\"],\"signature_severity\":[\"Informational\"],\"tag\":[\"SSL_Malicious_Cert\"],\"updated_at\":[\"2022_03_23\"]}},\"tls\":{\"subject\":\"C=--, ST=SomeState, L=SomeCity, O=SomeOrganization, OU=SomeOrganizationalUnit, CN=vps.server.com, Email=root@vps.server.com\",\"issuerdn\":\"C=--, ST=SomeState, L=SomeCity, O=SomeOrganization, OU=SomeOrganizationalUnit, CN=vps.server.com, Email=root@vps.server.com\",\"serial\":\"26:38\",\"fingerprint\":\"a6:e3:3f:a8:9e:f8:fa:ea:ae:d0:72:bc:a2:b3:a6:3c:be:b6:53:20\",\"sni\":\"ksm5sksm5sksm5s.zzux.com\",\"version\":\"TLS 1.2\",\"notbefore\":\"2023-11-07T08:55:33\",\"notafter\":\"2024-11-06T08:55:33\",\"ja3\":{\"hash\":\"0faf2a91198d40dbd58b9308f3fca2fd\",\"string\":\"771,4865-4867-4866-49195-49199-52393-52392-49196-49200-49171-49172-156-157-47-53,0-23-65281-10-11-16-5-34-51-43-13-28-65037,29-23-24-25-256-257,0\"},\"ja3s\":{\"hash\":\"303951d4c50efb2e991652225a6f02b1\",\"string\":\"771,49199,65281-11\"}},\"app_proto\":\"tls\",\"flow\":{\"pkts_toserver\":8,\"pkts_toclient\":5,\"bytes_toserver\":1347,\"bytes_toclient\":1859,\"start\":\"2023-11-27T21:19:51.374451+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-11-27T21:19:52Z","timestamp":1701119992,"ip_dst":{"addr":"Internal IP","port":53,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":40295,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO Observed DNS Query to DDNS Domain .zzux .com","source":"{\"timestamp\":\"2023-11-27T21:19:52.116220+0000\",\"flow_id\":784654151501308,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.78\",\"src_port\":40295,\"dest_ip\":\"10.70.215.1\",\"dest_port\":53,\"proto\":\"UDP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2033122,\"rev\":1,\"signature\":\"ET INFO Observed DNS Query to DDNS Domain .zzux .com\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"created_at\":[\"2021_06_09\"],\"former_category\":[\"INFO\"],\"updated_at\":[\"2021_06_09\"]}},\"dns\":{\"query\":[{\"type\":\"query\",\"id\":62829,\"rrname\":\"ksm5sksm5sksm5s.zzux.com\",\"rrtype\":\"AAAA\",\"tx_id\":0}]},\"app_proto\":\"dns\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":95,\"bytes_toclient\":0,\"start\":\"2023-11-27T21:19:52.116220+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-11-27T21:19:52Z","timestamp":1701119992,"ip_dst":{"addr":"Internal IP","port":53,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":40295,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS Query to a *.zzux .com Domain","source":"{\"timestamp\":\"2023-11-27T21:19:52.116220+0000\",\"flow_id\":784654151501308,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.78\",\"src_port\":40295,\"dest_ip\":\"10.70.215.1\",\"dest_port\":53,\"proto\":\"UDP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042727,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS Query to a *.zzux .com Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_13\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_13\"]}},\"dns\":{\"query\":[{\"type\":\"query\",\"id\":62829,\"rrname\":\"ksm5sksm5sksm5s.zzux.com\",\"rrtype\":\"AAAA\",\"tx_id\":0}]},\"app_proto\":\"dns\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":95,\"bytes_toclient\":0,\"start\":\"2023-11-27T21:19:52.116220+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-11-27T21:19:52Z","timestamp":1701119992,"ip_dst":{"addr":"Client IP","port":50758,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"192.169.7.221","port":443,"asn":8100,"as":"ASN-QUADRANET-GLOBAL","country":"United States","country_code":"US"},"severity":"high","alert":"ET POLICY Self Signed SSL Certificate (SomeOrganizationalUnit)","source":"{\"timestamp\":\"2023-11-27T21:19:52.268211+0000\",\"flow_id\":1131797030593538,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"192.169.7.221\",\"src_port\":443,\"dest_ip\":\"10.70.215.78\",\"dest_port\":50758,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013659,\"rev\":6,\"signature\":\"ET POLICY Self Signed SSL Certificate (SomeOrganizationalUnit)\",\"category\":\"Potential Corporate Privacy Violation\",\"severity\":1,\"metadata\":{\"attack_target\":[\"Client_Endpoint\"],\"created_at\":[\"2011_09_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"POLICY\"],\"signature_severity\":[\"Informational\"],\"tag\":[\"SSL_Malicious_Cert\"],\"updated_at\":[\"2022_03_23\"]}},\"tls\":{\"subject\":\"C=--, ST=SomeState, L=SomeCity, O=SomeOrganization, OU=SomeOrganizationalUnit, CN=vps.server.com, Email=root@vps.server.com\",\"issuerdn\":\"C=--, ST=SomeState, L=SomeCity, O=SomeOrganization, OU=SomeOrganizationalUnit, CN=vps.server.com, Email=root@vps.server.com\",\"serial\":\"26:38\",\"fingerprint\":\"a6:e3:3f:a8:9e:f8:fa:ea:ae:d0:72:bc:a2:b3:a6:3c:be:b6:53:20\",\"sni\":\"ksm5sksm5sksm5s.zzux.com\",\"version\":\"TLS 1.2\",\"notbefore\":\"2023-11-07T08:55:33\",\"notafter\":\"2024-11-06T08:55:33\",\"ja3\":{\"hash\":\"650c82854aed91a22996035b295a0c3e\",\"string\":\"771,4865-4867-4866-49195-49199-52393-52392-49196-49200-49171-49172-156-157-47-53,0-23-65281-10-11-16-5-34-51-43-13-28-21,29-23-24-25-256-257,0\"},\"ja3s\":{\"hash\":\"303951d4c50efb2e991652225a6f02b1\",\"string\":\"771,49199,65281-11\"}},\"app_proto\":\"tls\",\"flow\":{\"pkts_toserver\":8,\"pkts_toclient\":5,\"bytes_toserver\":1210,\"bytes_toclient\":1859,\"start\":\"2023-11-27T21:19:51.746498+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-11-27T21:19:52Z","timestamp":1701119992,"ip_dst":{"addr":"Client IP","port":50758,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"192.169.7.221","port":443,"asn":8100,"as":"ASN-QUADRANET-GLOBAL","country":"United States","country_code":"US"},"severity":"high","alert":"ETPRO MALWARE DustySky SSL Certificate Detected","source":"{\"timestamp\":\"2023-11-27T21:19:52.268211+0000\",\"flow_id\":1131797030593538,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"192.169.7.221\",\"src_port\":443,\"dest_ip\":\"10.70.215.78\",\"dest_port\":50758,\"proto\":\"TCP\",\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2820566,\"rev\":2,\"signature\":\"ETPRO MALWARE DustySky SSL Certificate Detected\",\"category\":\"A Network Trojan was detected\",\"severity\":1,\"metadata\":{\"attack_target\":[\"Client_Endpoint\"],\"created_at\":[\"2016_06_10\"],\"deployment\":[\"Perimeter\"],\"signature_severity\":[\"Major\"],\"tag\":[\"SSL_Malicious_Cert\"],\"updated_at\":[\"2016_07_01\"]}},\"tls\":{\"subject\":\"C=--, ST=SomeState, L=SomeCity, O=SomeOrganization, OU=SomeOrganizationalUnit, CN=vps.server.com, Email=root@vps.server.com\",\"issuerdn\":\"C=--, ST=SomeState, L=SomeCity, O=SomeOrganization, OU=SomeOrganizationalUnit, CN=vps.server.com, Email=root@vps.server.com\",\"serial\":\"26:38\",\"fingerprint\":\"a6:e3:3f:a8:9e:f8:fa:ea:ae:d0:72:bc:a2:b3:a6:3c:be:b6:53:20\",\"sni\":\"ksm5sksm5sksm5s.zzux.com\",\"version\":\"TLS 1.2\",\"notbefore\":\"2023-11-07T08:55:33\",\"notafter\":\"2024-11-06T08:55:33\",\"ja3\":{\"hash\":\"650c82854aed91a22996035b295a0c3e\",\"string\":\"771,4865-4867-4866-49195-49199-52393-52392-49196-49200-49171-49172-156-157-47-53,0-23-65281-10-11-16-5-34-51-43-13-28-21,29-23-24-25-256-257,0\"},\"ja3s\":{\"hash\":\"303951d4c50efb2e991652225a6f02b1\",\"string\":\"771,49199,65281-11\"}},\"app_proto\":\"tls\",\"flow\":{\"pkts_toserver\":8,\"pkts_toclient\":5,\"bytes_toserver\":1210,\"bytes_toclient\":1859,\"start\":\"2023-11-27T21:19:51.746498+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-11-27T21:19:52Z","timestamp":1701119992,"ip_dst":{"addr":"192.169.7.221","port":80,"asn":8100,"as":"ASN-QUADRANET-GLOBAL","country":"United States","country_code":"US"},"ip_src":{"addr":"Client IP","port":44442,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS HTTP Request to a *.zzux .com Domain","source":"{\"timestamp\":\"2023-11-27T21:19:52.473546+0000\",\"flow_id\":2035597736201300,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.78\",\"src_port\":44442,\"dest_ip\":\"192.169.7.221\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2035965,\"rev\":1,\"signature\":\"ET INFO DYNAMIC_DNS HTTP Request to a *.zzux .com Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_04_14\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_04_14\"]}},\"http\":{\"hostname\":\"ksm5sksm5sksm5s.zzux.com\",\"url\":\"/\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":459},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":681,\"bytes_toclient\":912,\"start\":\"2023-11-27T21:19:52.117844+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-11-27T21:19:52Z","timestamp":1701119992,"ip_dst":{"addr":"Internal IP","port":53,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":49634,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO Observed DNS Query to DDNS Domain .zzux .com","source":"{\"timestamp\":\"2023-11-27T21:19:52.567430+0000\",\"flow_id\":375749642594438,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.78\",\"src_port\":49634,\"dest_ip\":\"10.70.215.1\",\"dest_port\":53,\"proto\":\"UDP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2033122,\"rev\":1,\"signature\":\"ET INFO Observed DNS Query to DDNS Domain .zzux .com\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"created_at\":[\"2021_06_09\"],\"former_category\":[\"INFO\"],\"updated_at\":[\"2021_06_09\"]}},\"dns\":{\"query\":[{\"type\":\"query\",\"id\":10075,\"rrname\":\"ksm5sksm5sksm5s.zzux.com\",\"rrtype\":\"AAAA\",\"tx_id\":0}]},\"app_proto\":\"dns\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":95,\"bytes_toclient\":0,\"start\":\"2023-11-27T21:19:52.567430+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-11-27T21:19:52Z","timestamp":1701119992,"ip_dst":{"addr":"Internal IP","port":53,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":49634,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS Query to a *.zzux .com Domain","source":"{\"timestamp\":\"2023-11-27T21:19:52.567430+0000\",\"flow_id\":375749642594438,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.78\",\"src_port\":49634,\"dest_ip\":\"10.70.215.1\",\"dest_port\":53,\"proto\":\"UDP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042727,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS Query to a *.zzux .com Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_13\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_13\"]}},\"dns\":{\"query\":[{\"type\":\"query\",\"id\":10075,\"rrname\":\"ksm5sksm5sksm5s.zzux.com\",\"rrtype\":\"AAAA\",\"tx_id\":0}]},\"app_proto\":\"dns\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":95,\"bytes_toclient\":0,\"start\":\"2023-11-27T21:19:52.567430+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-11-27T21:19:52Z","timestamp":1701119992,"ip_dst":{"addr":"Internal IP","port":53,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":53759,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO Observed DNS Query to DDNS Domain .zzux .com","source":"{\"timestamp\":\"2023-11-27T21:19:52.668299+0000\",\"flow_id\":253632984920715,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.78\",\"src_port\":53759,\"dest_ip\":\"10.70.215.1\",\"dest_port\":53,\"proto\":\"UDP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2033122,\"rev\":1,\"signature\":\"ET INFO Observed DNS Query to DDNS Domain .zzux .com\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"created_at\":[\"2021_06_09\"],\"former_category\":[\"INFO\"],\"updated_at\":[\"2021_06_09\"]}},\"dns\":{\"query\":[{\"type\":\"query\",\"id\":6946,\"rrname\":\"ksm5sksm5sksm5s.zzux.com\",\"rrtype\":\"AAAA\",\"tx_id\":0}]},\"app_proto\":\"dns\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":95,\"bytes_toclient\":0,\"start\":\"2023-11-27T21:19:52.668299+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-11-27T21:19:52Z","timestamp":1701119992,"ip_dst":{"addr":"Internal IP","port":53,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":53759,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS Query to a *.zzux .com Domain","source":"{\"timestamp\":\"2023-11-27T21:19:52.668299+0000\",\"flow_id\":253632984920715,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.78\",\"src_port\":53759,\"dest_ip\":\"10.70.215.1\",\"dest_port\":53,\"proto\":\"UDP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042727,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS Query to a *.zzux .com Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_13\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_13\"]}},\"dns\":{\"query\":[{\"type\":\"query\",\"id\":6946,\"rrname\":\"ksm5sksm5sksm5s.zzux.com\",\"rrtype\":\"AAAA\",\"tx_id\":0}]},\"app_proto\":\"dns\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":95,\"bytes_toclient\":0,\"start\":\"2023-11-27T21:19:52.668299+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-11-27T21:19:52Z","timestamp":1701119992,"ip_dst":{"addr":"192.169.7.221","port":80,"asn":8100,"as":"ASN-QUADRANET-GLOBAL","country":"United States","country_code":"US"},"ip_src":{"addr":"Client IP","port":44458,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS HTTP Request to a *.zzux .com Domain","source":"{\"timestamp\":\"2023-11-27T21:19:52.912155+0000\",\"flow_id\":1307529912560561,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.78\",\"src_port\":44458,\"dest_ip\":\"192.169.7.221\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2035965,\"rev\":1,\"signature\":\"ET INFO DYNAMIC_DNS HTTP Request to a *.zzux .com Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_04_14\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_04_14\"]}},\"http\":{\"hostname\":\"ksm5sksm5sksm5s.zzux.com\",\"url\":\"/underconstruction.jpg\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0\",\"http_content_type\":\"image/jpeg\",\"http_refer\":\"http://ksm5sksm5sksm5s.zzux.com/\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":1211},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":7,\"bytes_toserver\":655,\"bytes_toclient\":6262,\"start\":\"2023-11-27T21:19:52.568241+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-11-27T21:19:53Z","timestamp":1701119993,"ip_dst":{"addr":"192.169.7.221","port":80,"asn":8100,"as":"ASN-QUADRANET-GLOBAL","country":"United States","country_code":"US"},"ip_src":{"addr":"Client IP","port":44460,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS HTTP Request to a *.zzux .com Domain","source":"{\"timestamp\":\"2023-11-27T21:19:53.009404+0000\",\"flow_id\":526780020045025,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.78\",\"src_port\":44460,\"dest_ip\":\"192.169.7.221\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2035965,\"rev\":1,\"signature\":\"ET INFO DYNAMIC_DNS HTTP Request to a *.zzux .com Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_04_14\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_04_14\"]}},\"http\":{\"hostname\":\"ksm5sksm5sksm5s.zzux.com\",\"url\":\"/favicon.ico\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0\",\"http_content_type\":\"text/html\",\"http_refer\":\"http://ksm5sksm5sksm5s.zzux.com/\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":404,\"length\":146},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":645,\"bytes_toclient\":534,\"start\":\"2023-11-27T21:19:52.668897+0000\"}}"}]}],"analyzer":[{"sensor_name":"infosec_yara","type":"yara","description":"Public InfoSec YARA rules","link":"","alerts":null},{"sensor_name":"openphish","type":"url","description":"OpenPhish","link":"","alerts":null},{"sensor_name":"phishtank","type":"url","description":"PhishTank","link":"","alerts":null},{"sensor_name":"mnemonic_dns","type":"domain","description":"mnemonic secure dns","link":"","alerts":null},{"sensor_name":"quad9","type":"domain","description":"Quad9 DNS","link":"","alerts":null},{"sensor_name":"threatfox","type":"url","description":"ThreatFox","link":"","alerts":null}],"urlquery":[{"sensor_name":"urlquery","alert":"Suspicious - DynDNS domain","verdict":"suspicious","severity":"low","comment":"","tags":["dyndns"],"meta":null}]},"javascript":{"script":null,"eval":null,"write":null,"console":null},"http":[{"url":{"schema":"http","addr":"ksm5sksm5sksm5s.zzux.com/","fqdn":"ksm5sksm5sksm5s.zzux.com","domain":"zzux.com","tld":"com"},"ip":{"addr":"192.169.7.221","port":80,"asn":8100,"as":"ASN-QUADRANET-GLOBAL","country":"United States","country_code":"US"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2023-11-27T21:19:52.122Z","timestamp":1701119992122,"http_version":"HTTP/1.1","security_state":"insecure","security_info":null,"request":{"raw":"GET / HTTP/1.1\r\nHost: ksm5sksm5sksm5s.zzux.com\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nDNT: 1\r\nConnection: keep-alive\r\nUpgrade-Insecure-Requests: 1\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 200 OK\r\nDate: Mon, 27 Nov 2023 21:19:48 GMT\r\nServer: Apache\r\nLast-Modified: Fri, 14 Apr 2023 16:49:56 GMT\r\nETag: \"1cb-5f94ea18d645f\"\r\nAccept-Ranges: bytes\r\nContent-Length: 459\r\nConnection: close\r\nContent-Type: text/html; charset=UTF-8\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":null,"data":{"size":459,"size_decoded":0,"mime_type":"text/html; charset=UTF-8","magic":"HTML document text\\012- HTML document text\\012- HTML document text\\012- HTML document text\\012- exported SGML document, ASCII text, with CRLF line terminators","md5":"87bdd982170d5f0d2b501ec12dd0b8c8","sha1":"433143a7ab6d6e79f3e6ef3a7430f621fa510fe9","sha256":"ac65810115c2133c087c52319d127f37ac82a41ed4bd74a04224047f06727d77","sha512":"2bf4cfa9d4043e0dc3ca6ff103c354a95a75433c7155d656cd777603bb02d3d1805b8b47f540ae85db4725449eba09ed50066d5d4754774a7e0dbc838167d496","ssdeep":"","tlshash":"13f02738a053dc4db2d79b7224fb67841456c582d1884a6ca4a570bbf48e299d172395","first_seen":"2023-04-07T00:20:34Z","last_seen":"2024-09-28T08:43:40.835016Z","times_seen":49,"resource_available":false,"data":null}},"time_used":529,"timings":{"blocked":172,"dns":1,"connect":177,"send":0,"wait":179,"receive":0,"ssl":0},"alerts":{"ids":[{"sensor_name":"suricata","title":"","description":"","date":"2023-11-27T21:19:52Z","timestamp":1701119992,"ip_dst":{"addr":"192.169.7.221","port":80,"asn":8100,"as":"ASN-QUADRANET-GLOBAL","country":"United States","country_code":"US"},"ip_src":{"addr":"10.70.215.78","port":44442,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS HTTP Request to a *.zzux .com Domain","source":"{\"timestamp\":\"2023-11-27T21:19:52.473546+0000\",\"flow_id\":2035597736201300,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.78\",\"src_port\":44442,\"dest_ip\":\"192.169.7.221\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2035965,\"rev\":1,\"signature\":\"ET INFO DYNAMIC_DNS HTTP Request to a *.zzux .com Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_04_14\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_04_14\"]}},\"http\":{\"hostname\":\"ksm5sksm5sksm5s.zzux.com\",\"url\":\"/\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":459},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":681,\"bytes_toclient\":912,\"start\":\"2023-11-27T21:19:52.117844+0000\"}}"}],"analyzer":null,"urlquery":[{"sensor_name":"urlquery","alert":"Suspicious - DynDNS domain","verdict":"suspicious","severity":"low","comment":"","tags":["dyndns"],"meta":null}]}},{"url":{"schema":"http","addr":"ksm5sksm5sksm5s.zzux.com/favicon.ico","fqdn":"ksm5sksm5sksm5s.zzux.com","domain":"zzux.com","tld":"com"},"ip":{"addr":"192.169.7.221","port":80,"asn":8100,"as":"ASN-QUADRANET-GLOBAL","country":"United States","country_code":"US"},"is_navigation_request":false,"resource_type":"img","requested_by":"http://ksm5sksm5sksm5s.zzux.com/","date":"2023-11-27T21:19:52.668Z","timestamp":1701119992668,"http_version":"HTTP/1.1","security_state":"insecure","security_info":null,"request":{"raw":"GET /favicon.ico HTTP/1.1\r\nHost: ksm5sksm5sksm5s.zzux.com\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0\r\nAccept: image/avif,image/webp,*/*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nDNT: 1\r\nConnection: keep-alive\r\nReferer: http://ksm5sksm5sksm5s.zzux.com/\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 404 Not Found\r\nDate: Mon, 27 Nov 2023 21:19:49 GMT\r\nServer: Apache\r\nStatus: 404 Not Found\r\nContent-Length: 146\r\nConnection: close\r\nContent-Type: text/html; charset=UTF-8\r\n","headers":null,"cookies":null,"status_code":"404","status_text":"Not Found","fingerprints":null,"data":{"size":146,"size_decoded":0,"mime_type":"text/html; charset=UTF-8","magic":"HTML document text\\012- HTML document, ASCII text, with no line terminators","md5":"159e3b75fd506135ea88da1dba7abbdb","sha1":"d876adf957a5ee5917c47ba51c1d05448404ee43","sha256":"6b1515cf6376a9b5e9fa32223e21f4834f36ed29c8815d95f997de76dac7fef0","sha512":"d3b0e6b1125164bdab3366b9580d70aedae39ad1e62a8047075bf848ff7c5a19a1bc04de8997a15c156f12d61bdde410b4eb212cc093b670fc35b5f7e4761761","ssdeep":"","tlshash":"1fc09b1cb953b5c5df071296d7c37581d195c33ba8de4f121548454374cb19ed0ca3d9","first_seen":"2023-04-06T20:44:08Z","last_seen":"2025-11-09T06:07:53.848061Z","times_seen":360,"resource_available":false,"data":null}},"time_used":340,"timings":{"blocked":0,"dns":0,"connect":168,"send":0,"wait":172,"receive":0,"ssl":0},"alerts":{"ids":[{"sensor_name":"suricata","title":"","description":"","date":"2023-11-27T21:19:53Z","timestamp":1701119993,"ip_dst":{"addr":"192.169.7.221","port":80,"asn":8100,"as":"ASN-QUADRANET-GLOBAL","country":"United States","country_code":"US"},"ip_src":{"addr":"10.70.215.78","port":44460,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS HTTP Request to a *.zzux .com Domain","source":"{\"timestamp\":\"2023-11-27T21:19:53.009404+0000\",\"flow_id\":526780020045025,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.78\",\"src_port\":44460,\"dest_ip\":\"192.169.7.221\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2035965,\"rev\":1,\"signature\":\"ET INFO DYNAMIC_DNS HTTP Request to a *.zzux .com Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_04_14\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_04_14\"]}},\"http\":{\"hostname\":\"ksm5sksm5sksm5s.zzux.com\",\"url\":\"/favicon.ico\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0\",\"http_content_type\":\"text/html\",\"http_refer\":\"http://ksm5sksm5sksm5s.zzux.com/\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":404,\"length\":146},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":645,\"bytes_toclient\":534,\"start\":\"2023-11-27T21:19:52.668897+0000\"}}"}],"analyzer":null,"urlquery":[{"sensor_name":"urlquery","alert":"Suspicious - DynDNS domain","verdict":"suspicious","severity":"low","comment":"","tags":["dyndns"],"meta":null}]}},{"url":{"schema":"http","addr":"ksm5sksm5sksm5s.zzux.com/underconstruction.jpg","fqdn":"ksm5sksm5sksm5s.zzux.com","domain":"zzux.com","tld":"com"},"ip":{"addr":"192.169.7.221","port":80,"asn":8100,"as":"ASN-QUADRANET-GLOBAL","country":"United States","country_code":"US"},"is_navigation_request":false,"resource_type":"img","requested_by":"http://ksm5sksm5sksm5s.zzux.com/","date":"2023-11-27T21:19:52.568Z","timestamp":1701119992568,"http_version":"HTTP/1.1","security_state":"insecure","security_info":null,"request":{"raw":"GET /underconstruction.jpg HTTP/1.1\r\nHost: ksm5sksm5sksm5s.zzux.com\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0\r\nAccept: image/avif,image/webp,*/*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nDNT: 1\r\nConnection: keep-alive\r\nReferer: http://ksm5sksm5sksm5s.zzux.com/\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 200 OK\r\nDate: Mon, 27 Nov 2023 21:19:49 GMT\r\nServer: Apache\r\nLast-Modified: Fri, 14 Apr 2023 16:52:18 GMT\r\nETag: \"13858-5f94eaa042f97\"\r\nAccept-Ranges: bytes\r\nContent-Length: 79960\r\nConnection: close\r\nContent-Type: image/jpeg\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":null,"data":{"size":79960,"size_decoded":0,"mime_type":"image/jpeg","magic":"JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, comment: \"CREATOR: gd-jpeg v1.0 (using IJG JPEG v62), quality = 85\", baseline, precision 8, 1200x675, components 3\\012- data","md5":"4a1c65e36bdc0c270385649f41dff253","sha1":"8aa4a3ede799579cd547a0a42952dbb5933b5808","sha256":"b41772b89b8c88bbbf1274e4255b20ae257e985fb1e585734f9010a9713ffd0d","sha512":"d5900291ad40e00aea957bd65e013382d9723b9f13935c75a25c955cef564e0bc5c737de9ebc95e55f849f062b89a2bac963c29b9c9a79e644e14cb2c68b5228","ssdeep":"","tlshash":"","first_seen":"2023-07-30T16:49:36Z","last_seen":"2023-11-27T22:20:07Z","times_seen":1,"resource_available":false,"data":null}},"time_used":863,"timings":{"blocked":171,"dns":1,"connect":171,"send":0,"wait":173,"receive":347,"ssl":0},"alerts":{"ids":[{"sensor_name":"suricata","title":"","description":"","date":"2023-11-27T21:19:52Z","timestamp":1701119992,"ip_dst":{"addr":"192.169.7.221","port":80,"asn":8100,"as":"ASN-QUADRANET-GLOBAL","country":"United States","country_code":"US"},"ip_src":{"addr":"10.70.215.78","port":44458,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS HTTP Request to a *.zzux .com Domain","source":"{\"timestamp\":\"2023-11-27T21:19:52.912155+0000\",\"flow_id\":1307529912560561,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.78\",\"src_port\":44458,\"dest_ip\":\"192.169.7.221\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2035965,\"rev\":1,\"signature\":\"ET INFO DYNAMIC_DNS HTTP Request to a *.zzux .com Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_04_14\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_04_14\"]}},\"http\":{\"hostname\":\"ksm5sksm5sksm5s.zzux.com\",\"url\":\"/underconstruction.jpg\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0\",\"http_content_type\":\"image/jpeg\",\"http_refer\":\"http://ksm5sksm5sksm5s.zzux.com/\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":1211},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":7,\"bytes_toserver\":655,\"bytes_toclient\":6262,\"start\":\"2023-11-27T21:19:52.568241+0000\"}}"}],"analyzer":null,"urlquery":[{"sensor_name":"urlquery","alert":"Suspicious - DynDNS domain","verdict":"suspicious","severity":"low","comment":"","tags":["dyndns"],"meta":null}]}}]}