[Snort-users] Suspicious DNS query

Johnathan Corgan jcorgan at ...1638...
Tue Apr 3 09:10:06 EDT 2001

The following two packets were received this AM and logged 
by snort:

00:32:08.756958 > xx.xx.xx.xx.domain: 36646 inv_q+ [b2&3=0x980] A? . (27)
00:32:08.770594 > xx.xx.xx.xx.domain: 41832+ [b2&3=0x180] TXT CHAOS)? version.bind. (30)

The first triggered IDS277 (named-iquery-probe), but the second
was only logged because I happened to be profiling dns server usage
and was logging all dns requests to this host anyway.

Any ideas as to what it is?  It looks like it was sent back-to-back 
with the first as this host was about 20-30 ms away and there
doesn't appear to have been time to have received a reply from the
first packet.

Johnathan Corgan
Atlas Enterprises Internet

More information about the Snort-users mailing list