Sign in

ET TROJAN HTTP GET Request on port 53 - Very Likely Hostile


 IP AddressPortHostname
Source (local) 61511  
Destination (United States) domain (53)  





  • This rule is triggered when an HTTP GET request is observed on port 53.
  • Port 53 is sometimes used as an egress port as firewalls commonly allow DNS traffic without alarming.


False Positive:

  • YES
  • This appears to be a misdirected advertising request. There are multiple event instances for the same request.
  • None of the associated domains (original company ( show any evidence of malicious hosting.
  • Best guess is someone accidentally hard coded a link to in the above site's advertising framework.
  • As would be expected, (google's public name servers) are listening on tcp port 53 as they are DNS servers, and immediately close the connection upon receiving HTTP traffic.



  • None



Powered by Zendesk