[Snort-users] Suspicious DNS query

Avleen Vig avleen at ...396...
Tue Apr 3 09:36:02 EDT 2001

> 00:32:08.756958 > xx.xx.xx.xx.domain: 36646 inv_q+
[b2&3=0x980] A? . (27)
> 00:32:08.770594 > xx.xx.xx.xx.domain: 41832+
[b2&3=0x180] TXT CHAOS)? version.bind. (30)
> The first triggered IDS277 (named-iquery-probe), but the second
> was only logged because I happened to be profiling dns server usage
> and was logging all dns requests to this host anyway.
> Any ideas as to what it is?  It looks like it was sent back-to-back
> with the first as this host was about 20-30 ms away and there
> doesn't appear to have been time to have received a reply from the
> first packet.

Soemone did a TXT lookup for a record on your nameservers, trying to
find out which version of BIND you were running (if you were running one
at all).

If you run BIND on your name servers, I really hope you're running the
latest version :)
If you need any help with this, give me a shout.

More information about the Snort-users mailing list