[Snort-users] Suspicious DNS query
fygrave at ...121...
Tue Apr 3 09:36:47 EDT 2001
On Tue, Apr 03, 2001 at 06:10:06AM -0700, Johnathan Corgan wrote:
> The following two packets were received this AM and logged
> by snort:
> 00:32:08.756958 126.96.36.199.3401 > xx.xx.xx.xx.domain: 36646 inv_q+ [b2&3=0x980] A? . (27)
> 00:32:08.770594 188.8.131.52.3401 > xx.xx.xx.xx.domain: 41832+ [b2&3=0x180] TXT CHAOS)? version.bind. (30)
> The first triggered IDS277 (named-iquery-probe), but the second
> was only logged because I happened to be profiling dns server usage
> and was logging all dns requests to this host anyway.
> Any ideas as to what it is?
The first one looks like address lookup for root cache while the second one looks like named version retrival attempt to me.
More information about the Snort-users