ET TROJAN HTTP GET Request on port 53 - Very Likely Hostile

Description:

• This rule is triggered when an HTTP GET request is observed on port 53.
• Port 53 is sometimes used as an egress port as firewalls commonly allow DNS traffic without alarming.

False Positive:

• YES
• This appears to be a misdirected advertising request. There are multiple event instances for the same request.
• None of the associated domains (original company (www.nationalbusinessfurniture.com) show any evidence of malicious hosting.
• Best guess is someone accidentally hard coded a link to 8.8.8.8:53 in the above site's advertising framework.
• As would be expected, 8.8.8.8 (google's public name servers) are listening on tcp port 53 as they are DNS servers, and immediately close the connection upon receiving HTTP traffic.

Action:

• None