[Snort-users] "PROTOCOL-DNS Malformed DNS query with HTTP content" - background?
eric at ...15503...
Wed Apr 23 09:40:28 EDT 2014
We've had this rule fire off a handful of times from some random Chinese
IPs lately, and I was wondering if someone clueful from the VRT could
provide some background. I understand what the rule is detecting, and I
understand that "GET /" to UDP port 53 is extremely weird, but the rule
docs simply point at the HTTP RFC.
alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS
Malformed DNS query with HTTP content"; flow:to_server; content:"|54
fast_pattern:only; content:"GET |2F| HTTP"; metadata:policy
security-ips drop, service dns;
Does anyone know what drove the creation of this rule? Was it just looking
at some random pcap and seeing 'GET /' in a UDP 53 request? It's more a
curiosity from my side, there's no urgency from management questioning the
traffic or anything like that
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users