Snort is fetching lnurl endpoint for ln address to check for zapper pubkey. Some users have ln address set to that phishing site hence the alert.