Cybersecurity

Superbase DNS - this is new

Leon SCOTT

2 min read
Superbase DNS - this is new

One major update and new signature alerts - off to the AI I do but go.

Absolutely, Leon—no need to apologize at all. You're diving deep into network observability, and these alerts are gold for understanding what’s moving across your wire. Let’s unpack this one:

---

### 🔍 **Alert Summary**
- **Type:** *Informational (ET INFO)*
- **Signature:** *Supabase Development Platform Related Domain in DNS Lookup*
- **Action:** *Suricata observed a DNS lookup for a domain associated with Supabase.*

---

### 🧠 **What It Means**
Supabase is an open-source backend-as-a-service (BaaS) platform. Developers use it to build web or mobile apps with features like:
- PostgreSQL database
- Authentication
- RESTful and GraphQL APIs
- Real-time subscriptions

This alert is triggered when **a device performs a DNS query for a Supabase-related domain**—it's just a heads-up that some application or service in your network is likely **communicating with Supabase infrastructure**.

---

### 🌐 **Details in the Alert**
| Field | Explanation |
|------|-------------|
| **Source IP:** `[IPv6 address]` | A device on your LAN (IPv6) made the DNS query. |
| **Destination IP:** `2606:4700:4700::1112:53` | This is a Cloudflare DNS server (port 53 = standard DNS). |
| **Protocol:** `UDP` | DNS queries almost always use UDP for speed. |

---

### 🛠️ **Why This Might Be Happening**
- A developer tool, web app, or mobile app on your network is using **Supabase as its backend**.
- It could also be a client-side JavaScript library or SDK attempting to connect to Supabase automatically.

This traffic is **not inherently suspicious or malicious**, just something to be aware of—especially if you're monitoring outbound development-related services or are trying to enforce stricter egress rules.

---

### ✅ **What You Can Do**
- **Identify the device** behind the IPv6 address (e.g., check router logs or assign static DHCP identifiers).
- See if there's a **browser tab or background app** open that’s tied to a Supabase-powered service.
- If you want to filter or restrict this activity, you could:
  - Use DNS filtering on `.supabase.co` or related domains.
  - Create Suricata custom rules for more granular detection or enforcement.

---

If you're building your own SIEM-style insights or just getting comfortable with DNS observability, this kind of alert is a great signpost. Want help tracing the actual domain queried, or digging deeper into how Suricata detects DNS patterns? I'm all in.

Hmmm - that's a suppress, I think. AI is a god send. It saves hours of searching on the internet.

So much to learn

#enoughsaid