Snort mailing list archives
"PROTOCOL-DNS Malformed DNS query with HTTP content" - background?
From: Eric G <eric () nixwizard net>
Date: Wed, 23 Apr 2014 09:40:28 -0400
We've had this rule fire off a handful of times from some random Chinese IPs lately, and I was wondering if someone clueful from the VRT could provide some background. I understand what the rule is detecting, and I understand that "GET /" to UDP port 53 is extremely weird, but the rule docs simply point at the HTTP RFC. alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS Malformed DNS query with HTTP content"; flow:to_server; content:"|54 20|"; fast_pattern:only; content:"GET |2F| HTTP"; metadata:policy security-ips drop, service dns; reference:url,www.ietf.org/rfc/rfc2616.txt; classtype:misc-activity; sid:28557; rev:1;) Does anyone know what drove the creation of this rule? Was it just looking at some random pcap and seeing 'GET /' in a UDP 53 request? It's more a curiosity from my side, there's no urgency from management questioning the traffic or anything like that -- Eric http://www.linkedin.com/in/ericgearhart
------------------------------------------------------------------------------ Start Your Social Network Today - Download eXo Platform Build your Enterprise Intranet with eXo Platform Software Java Based Open Source Intranet - Social, Extensible, Cloud Ready Get Started Now And Turn Your Intranet Into A Collaboration Platform http://p.sf.net/sfu/ExoPlatform
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- "PROTOCOL-DNS Malformed DNS query with HTTP content" - background? Eric G (Apr 23)