Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

WWYD Socialize.null Requests

NewToNetworking
Here to help
‎Oct 26 2022 7:01 AM
‎Oct 26 2022 7:01 AM

WWYD Socialize.null Requests

I am getting some reports from the security center, these alerts are regarding .null requests to what seem to be legitimate places. The alerts state that they are coming from our Domain Controller and the requests are being made to multiple different IP addresses that check out from VirusTotal and Shodan. 

Sid 1-48666 from Snort is blocking the .null requests which flag as a indicator of compromise. Alerts are only being generated during work hours. 

 

I would like to know what steps you all would take to investigate/resolve this issue. 

 

https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/dns-name-queries-not-succes...

 

"socialize.null"

4.2.2.2

e.root-servers.net 192.203.230.10

G.ROOT-SERVERS.NET 192.112.36.4

0 Kudos
Subscribe
1 Reply 1
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 26 2022 11:48 AM
‎Oct 26 2022 11:48 AM

Enable logging on your DNS servers, and see which clients are making the .null requests.

 

Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.