Hi
I am a new subscriber to ET Pro Telemetry, and a new Opnsense user, so please feel free to enlighten me.
Yesterday I installed ET Pro and today I got the following alert. I have searched online, but results are slim.
Seems like a Windows malware, according to most posts I have found. But 10.0.1.2 is a Linux box, and the Windows VM was not open at the time of the alert.
How would you interpret this alert?
Intrusion detection is on. But IPS mode is off. I configured the action to drop. Proper thing to do?
- Timestamp: 2025-03-23T14:58:25.750378-0400
- Alert: ET INFO Observed Cloudflare Page Developer Domain (pages .dev in TLS SNI)
- Alert sid: 2057746
- Protocol :TCP
- Source IP: 10.0.1.2
- Destination IP: 172.66.47.179 /* this is cloudflare */
- Source port: 54980
- Destination port: 443
- Interface: LAN
- tls version: TLS 1.3
Secondary question: what is the best resource to learn more about what these alerts mean?
Thank you!
Hello and welcome @jacgfxgeek!
When triaging a rule that you aren’t sure about one of the best places to start is by identifying the category which will give you a quick idea of what type of traffic the rule is looking for. Categories are always in uppercase and the second word in the rule title (i.e. ET INFO is the INFO category). For example these are a few different categories in the ruleset today.
We have comprehensive descriptions for each category that you can read here: Suricata 5, 6, & 7 Rule Categories . Because this rule is INFO that means that this rule is mostly used for audit/correlation purposes. While useful within the context of an investigation they can be a somewhat noisy and do not necessarily indicate a compromise.
Additionally if you view the full rule text you can see that the severity is set to informational as well. We have signature severity documented here Rules Severities
Now, on to what the rest of the rule means!
Cloudflare Page Developer Domain (pages .dev in TLS SNI) This is indicating that a domain ending in .pages.dev was observed during a TLS handshake. This domain is related to a CloudFlare service called “Pages” which is used to quickly stand up websites. We have observed attackers abusing this service in the past for phishing and payload delivery which is why the rule was created. That being said, it is a legitimate service which is widely utilized.
If you want to learn more about our TLS/DNS signatures @trobinson667 has put together an awesome summary that is worth a read through. Investigating and Interpreting TLS SNI and DNS query rules
TL/DR:
- This is an informational rule and does not indicate that malware has been observed so further action may not be needed
- I shared a couple of our resources for understanding rules but we are always happy to answer questions and feedback here!
Let me know if that clears anything up or if you have additional questions.
Thanks!
Isaac
1 Like
Thanks @ishaughnessy
I very much appreciate the detailed answer.
Keep up the good work!
Eric
1 Like