[Snort-users] "PROTOCOL-DNS Malformed DNS query with HTTP content" - background?

Eric G eric at ...15503...
Wed Apr 23 09:40:28 EDT 2014


We've had this rule fire off a handful of times from some random Chinese
IPs lately, and I was wondering if someone clueful from the VRT could
provide some background. I understand what the rule is detecting, and I
understand that "GET /" to UDP port 53 is extremely weird, but the rule
docs simply point at the HTTP RFC.

alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS
Malformed DNS query with HTTP content"; flow:to_server; content:"|54
20|";
fast_pattern:only; content:"GET |2F| HTTP"; metadata:policy
security-ips drop, service dns;
reference:url,www.ietf.org/rfc/rfc2616.txt; classtype:misc-activity;
sid:28557; rev:1;)


Does anyone know what drove the creation of this rule? Was it just looking
at some random pcap and seeing 'GET /' in a UDP 53 request? It's more a
curiosity from my side, there's no urgency from management questioning the
traffic or anything like that

--
Eric
http://www.linkedin.com/in/ericgearhart
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140423/a52f0be0/attachment.html>


More information about the Snort-users mailing list