[Snort-users] PROTOCOL-DNS Malformed DNS query with HTTP content. What's the angle?
jlay at ...13475...
Wed Apr 23 10:27:55 EDT 2014
On 2014-04-23 07:39, Moore, Jim wrote:
> Last night we had a whole series of these probes. The packets were
> addressed to UDP port 53 but contained nothing but HTTP headers, like
> GET / HTTP/1.1
> Host: www
> It's not clear to me what the prober is trying to accomplish. The
> triggered has no documentation, refers only to RFC 2616 (HTTP 1.1),
> I haven't found anything elsewhere about this type of probe either.
> Anybody have any ideas?
> Jim Moore
I think the prober is looking for a response to see if someone is
running services on non-standard ports. I see junk like this on my
Apr 16 06:56:48 gateway postfix/smtpd: warning: non-SMTP command
from 1-163-152-248.dynamic.hinet.net[22.214.171.124]: GET
Apr 20 12:57:37 gateway postfix/smtpd: warning: non-SMTP command
from unknown[126.96.36.199]: GET / HTTP/1.1
Good intel to have.
More information about the Snort-users