[Snort-users] Suspicious DNS query

Fyodor fygrave at ...121...
Tue Apr 3 09:36:47 EDT 2001


On Tue, Apr 03, 2001 at 06:10:06AM -0700, Johnathan Corgan wrote:
> The following two packets were received this AM and logged 
> by snort:
> 
> 00:32:08.756958 64.45.60.200.3401 > xx.xx.xx.xx.domain: 36646 inv_q+ [b2&3=0x980] A? . (27)
> 00:32:08.770594 64.45.60.200.3401 > xx.xx.xx.xx.domain: 41832+ [b2&3=0x180] TXT CHAOS)? version.bind. (30)
> 
> The first triggered IDS277 (named-iquery-probe), but the second
> was only logged because I happened to be profiling dns server usage
> and was logging all dns requests to this host anyway.
> 
> Any ideas as to what it is?

The first one looks like address lookup for root cache while the second one looks like named version retrival attempt to me. 




More information about the Snort-users mailing list