<div dir="ltr"><div>He may want to check the destination address' DNS conf to make sure that it's properly configured and not responding to requests from <a href="http://0.0.0.0/0">0.0.0.0/0</a>. <br></div><div><br></div><div>More information about open DNS resolvers can be found here: <a href="http://www.openresolverproject.org/">http://www.openresolverproject.org/</a> </div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, May 4, 2015 at 10:35 AM, Al Lewis (allewi) <span dir="ltr"><<a href="mailto:allewi@...3865..." target="_blank">allewi@...3865...</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">





<div lang="EN-US" link="blue" vlink="purple">
<div>
<p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d">alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS DNS query amplification attempt"; flow:to_server; content:"|00 01|"; depth:2; offset:4; content:"|00 01|"; within:2; distance:4; byte_test:1,!&,0xF8,2;
 content:"|00 00 FF 00 01 00 00 29|"; byte_test:2,>,0x7FFF,0,relative; metadata:policy security-ips drop, ruleset community, service dns; reference:url,<a href="http://www.us-cert.gov/ncas/alerts/TA13-088A" target="_blank">www.us-cert.gov/ncas/alerts/TA13-088A</a>; classtype:attempted-dos; sid:28556; rev:2; )<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Candara","sans-serif";color:#1f497d">Albert Lewis<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Candara","sans-serif";color:#888888">QA Software Engineer<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Georgia","serif";color:#999999">SOURCE</span><b><span style="font-size:12.0pt;font-family:"Georgia","serif";color:red">fire</span></b><span style="font-size:12.0pt;font-family:"Georgia","serif";color:#999999">,
 Inc. </span><span style="font-size:12.0pt;font-family:"Georgia","serif";color:#888888">now part of
</span><b><span style="font-size:12.0pt;font-family:"Georgia","serif";color:#31849b">Cisco</span></b><span style="font-size:12.0pt;font-family:"Georgia","serif";color:#888888"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Candara","sans-serif";color:#999999">9780 Patuxent Woods Drive<br>
Columbia, MD 21046 </span><span style="font-size:12.0pt;font-family:"Candara","sans-serif";color:#888888"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Candara","sans-serif";color:#999999">Phone: (office) </span><span style="font-size:12.0pt;font-family:"Candara","sans-serif";color:#1f497d"><a href="tel:443.430.7112" value="+14434307112" target="_blank">443.430.7112</a><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Candara","sans-serif";color:#999999">Email:
</span><span style="font-size:12.0pt;font-family:"Candara","sans-serif";color:#1f497d"><a href="mailto:allewi@...3865..." target="_blank">allewi@...3865...</a></span><span style="font-size:12.0pt;font-family:"Candara","sans-serif";color:#4f81bd"> </span><span style="font-size:12.0pt;font-family:"Candara","sans-serif";color:#1f497d"><u></u><u></u></span></p>
</div>
<p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p>
<div>
<div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Mustaque [mailto:<a href="mailto:mustaque.ahmad@...4030..." target="_blank">mustaque.ahmad@...4030...</a>]
<br>
<b>Sent:</b> Monday, May 04, 2015 1:58 AM<br>
<b>To:</b> <a href="mailto:snort-sigs@lists.sourceforge.net" target="_blank">snort-sigs@lists.sourceforge.net</a><span class=""><br>
<b>Subject:</b> [Snort-sigs] PROTOCOL-DNS DNS query amplification attempt (1:28556)<u></u><u></u></span></span></p>
</div>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Hi,<u></u><u></u></p><div><div class="h5">
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">I cant see the packet information to investigate the integrity of this rule. And what this rule does? Need more info.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Thanks and Regards<u></u><u></u></p>
<p class="MsoNormal">Mustaque<u></u><u></u></p>
</div></div></div>
</div>

<br>------------------------------------------------------------------------------<br>
One dashboard for servers and applications across Physical-Virtual-Cloud<br>
Widest out-of-the-box monitoring support with 50+ applications<br>
Performance metrics, stats and reports that give you Actionable Insights<br>
Deep dive visibility with transaction tracing using APM Insight.<br>
<a href="http://ad.doubleclick.net/ddm/clk/290420510;117567292;y" target="_blank">http://ad.doubleclick.net/ddm/clk/290420510;117567292;y</a><br>_______________________________________________<br>
Snort-sigs mailing list<br>
<a href="mailto:Snort-sigs@lists.sourceforge.net">Snort-sigs@...639...forge.net</a><br>
<a href="https://lists.sourceforge.net/lists/listinfo/snort-sigs" target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-sigs</a><br>
<a href="http://www.snort.org" target="_blank">http://www.snort.org</a><br>
<br>
<br>
Please visit <a href="http://blog.snort.org" target="_blank">http://blog.snort.org</a> for the latest news about Snort!<br></blockquote></div><br></div>