Re: [Snort-users] PROTOCOL-DNS Malformed DNS query with HTTP content. What's the angle?

[James Lay <jlay () slave-tothe-box net>]

On 2014-04-23 07:39, Moore, Jim wrote:
> Last night we had a whole series of these probes.  The packets were
> addressed to UDP port 53 but contained nothing but HTTP headers, like
> so:
>
> GET / HTTP/1.1
> Host: www
>
> It's not clear to me what the prober is trying to accomplish.  The 
> alert
> triggered has no documentation, refers only to RFC 2616 (HTTP 1.1), 
> and
> I haven't found anything elsewhere about this type of probe either.
> Anybody have any ideas?
>
> Thanks!
> Jim Moore

I think the prober is looking for a response to see if someone is 
running services on non-standard ports.  I see junk like this on my 
email system:

Apr 16 06:56:48 gateway postfix/smtpd[3124]: warning: non-SMTP command 
from 1-163-152-248.dynamic.hinet.net[1.163.152.248]: GET 
http://www.scanproxy.com:80/p-25.html HTTP/1.0
Apr 20 12:57:37 gateway postfix/smtpd[7623]: warning: non-SMTP command 
from unknown[112.4.159.220]: GET / HTTP/1.1

Good intel to have.

James

------------------------------------------------------------------------------
Start Your Social Network Today - Download eXo Platform
Build your Enterprise Intranet with eXo Platform Software
Java Based Open Source Intranet - Social, Extensible, Cloud Ready
Get Started Now And Turn Your Intranet Into A Collaboration Platform
http://p.sf.net/sfu/ExoPlatform
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!