"PROTOCOL-DNS Malformed DNS query with HTTP content" - background?

[Eric G <eric () nixwizard net>]

We've had this rule fire off a handful of times from some random Chinese
IPs lately, and I was wondering if someone clueful from the VRT could
provide some background. I understand what the rule is detecting, and I
understand that "GET /" to UDP port 53 is extremely weird, but the rule
docs simply point at the HTTP RFC.

alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS
Malformed DNS query with HTTP content"; flow:to_server; content:"|54
20|";
fast_pattern:only; content:"GET |2F| HTTP"; metadata:policy
security-ips drop, service dns;
reference:url,www.ietf.org/rfc/rfc2616.txt; classtype:misc-activity;
sid:28557; rev:1;)


Does anyone know what drove the creation of this rule? Was it just looking
at some random pcap and seeing 'GET /' in a UDP 53 request? It's more a
curiosity from my side, there's no urgency from management questioning the
traffic or anything like that

--
Eric
http://www.linkedin.com/in/ericgearhart

------------------------------------------------------------------------------
Start Your Social Network Today - Download eXo Platform
Build your Enterprise Intranet with eXo Platform Software
Java Based Open Source Intranet - Social, Extensible, Cloud Ready
Get Started Now And Turn Your Intranet Into A Collaboration Platform
http://p.sf.net/sfu/ExoPlatform

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!