WWYD Socialize.null Requests

NewToNetworking
Here to help

WWYD Socialize.null Requests

I am getting some reports from the security center, these alerts are regarding .null requests to what seem to be legitimate places. The alerts state that they are coming from our Domain Controller and the requests are being made to multiple different IP addresses that check out from VirusTotal and Shodan. 

Sid 1-48666 from Snort is blocking the .null requests which flag as a indicator of compromise. Alerts are only being generated during work hours. 

 

I would like to know what steps you all would take to investigate/resolve this issue. 

 

https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/dns-name-queries-not-succes...

 

"socialize.null"

4.2.2.2

e.root-servers.net 192.203.230.10

G.ROOT-SERVERS.NET 192.112.36.4

1 Reply 1
PhilipDAth
Kind of a big deal
Kind of a big deal

Enable logging on your DNS servers, and see which clients are making the .null requests.

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels