[Snort-users] PROTOCOL-DNS Malformed DNS query with HTTP content. What's the angle?

Moore, Jim jmoore at ...16816...
Wed Apr 23 09:39:39 EDT 2014

Last night we had a whole series of these probes.  The packets were
addressed to UDP port 53 but contained nothing but HTTP headers, like

GET / HTTP/1.1
Host: www

It's not clear to me what the prober is trying to accomplish.  The alert
triggered has no documentation, refers only to RFC 2616 (HTTP 1.1), and
I haven't found anything elsewhere about this type of probe either.
Anybody have any ideas?

Jim Moore

James J. Moore, Network Administrator
NexTier Bank
245 Pittsburgh Road
Butler, PA  16001
jmoore at ...16816...
Phone: 724-214-6205
Cell:  724-355-6718

This message and any attachments are intended for the sole use
of the addressee and may contain information that is privileged 
and confidential.  If the reader of the message is not the intended
recipient or an authorized  representative of the intended recipient,
you are hereby notified that any dissemination of this communication
is strictly prohibited.  If you have received this communication in error,
notify the sender immediately by return email and delete the message
and any attachments from your system.

More information about the Snort-users mailing list