[Snort-users] Suspicious DNS query

Johnathan Corgan jcorgan at ...1638...
Tue Apr 3 09:10:06 EDT 2001


The following two packets were received this AM and logged 
by snort:

00:32:08.756958 64.45.60.200.3401 > xx.xx.xx.xx.domain: 36646 inv_q+ [b2&3=0x980] A? . (27)
00:32:08.770594 64.45.60.200.3401 > xx.xx.xx.xx.domain: 41832+ [b2&3=0x180] TXT CHAOS)? version.bind. (30)

The first triggered IDS277 (named-iquery-probe), but the second
was only logged because I happened to be profiling dns server usage
and was logging all dns requests to this host anyway.

Any ideas as to what it is?  It looks like it was sent back-to-back 
with the first as this host was about 20-30 ms away and there
doesn't appear to have been time to have received a reply from the
first packet.

Johnathan Corgan
Atlas Enterprises Internet




More information about the Snort-users mailing list