[Snort-users] Suspicious DNS query
jcorgan at ...1638...
Tue Apr 3 09:10:06 EDT 2001
The following two packets were received this AM and logged
00:32:08.756958 184.108.40.206.3401 > xx.xx.xx.xx.domain: 36646 inv_q+ [b2&3=0x980] A? . (27)
00:32:08.770594 220.127.116.11.3401 > xx.xx.xx.xx.domain: 41832+ [b2&3=0x180] TXT CHAOS)? version.bind. (30)
The first triggered IDS277 (named-iquery-probe), but the second
was only logged because I happened to be profiling dns server usage
and was logging all dns requests to this host anyway.
Any ideas as to what it is? It looks like it was sent back-to-back
with the first as this host was about 20-30 ms away and there
doesn't appear to have been time to have received a reply from the
Atlas Enterprises Internet
More information about the Snort-users