Snort mailing list archives
Re: PROTOCOL-DNS Malformed DNS query with HTTP content. What's the angle?
From: Nick Randolph <drandolph () sourcefire com>
Date: Wed, 23 Apr 2014 13:54:19 -0400
I'll go ahead and answer both in this thread. That rule was actually sent to us from a Snort user. They observed this type of probe on their network and submitted a rule. It's simply suspicious traffic. HTTP is a connectionless protocol so it's possible to implement it over UDP but I don't know of anyone using it like that. On Wed, Apr 23, 2014 at 10:47 AM, Eric G <eric () nixwizard net> wrote:
On Apr 23, 2014 10:04 AM, "Moore, Jim" <jmoore () thebank com> wrote:Last night we had a whole series of these probes. The packets were addressed to UDP port 53 but contained nothing but HTTP headersHaha Jim and I apparently think alike... I posted the same question around 20 minutes before his I'm seeing the same odd traffic that has sprung up recently -- Eric http://www.linkedin.com/in/ericgearhart ------------------------------------------------------------------------------ Start Your Social Network Today - Download eXo Platform Build your Enterprise Intranet with eXo Platform Software Java Based Open Source Intranet - Social, Extensible, Cloud Ready Get Started Now And Turn Your Intranet Into A Collaboration Platform http://p.sf.net/sfu/ExoPlatform _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- Nick Randolph Research Engineer Sourcefire, Inc. nrandolph () sourcefire com Sourcefire.com <http://www.sourcefire.com/>
------------------------------------------------------------------------------ Start Your Social Network Today - Download eXo Platform Build your Enterprise Intranet with eXo Platform Software Java Based Open Source Intranet - Social, Extensible, Cloud Ready Get Started Now And Turn Your Intranet Into A Collaboration Platform http://p.sf.net/sfu/ExoPlatform
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- PROTOCOL-DNS Malformed DNS query with HTTP content. What's the angle? Moore, Jim (Apr 23)
- Re: [Snort-users] PROTOCOL-DNS Malformed DNS query with HTTP content. What's the angle? James Lay (Apr 23)
- Re: PROTOCOL-DNS Malformed DNS query with HTTP content. What's the angle? Eric G (Apr 23)
- Re: PROTOCOL-DNS Malformed DNS query with HTTP content. What's the angle? Nick Randolph (Apr 23)
- Message not available
- Re: PROTOCOL-DNS Malformed DNS query with HTTP content. What's the angle? Eric G (Apr 23)
- Message not available
- Message not available
- Re: PROTOCOL-DNS Malformed DNS query with HTTP content. What's the angle? Eric G (Apr 24)
- Re: PROTOCOL-DNS Malformed DNS query with HTTP content. What's the angle? Nick Randolph (Apr 23)