[Snort-users] PROTOCOL-DNS Malformed DNS query with HTTP content. What's the angle?

James Lay jlay at ...13475...
Wed Apr 23 10:27:55 EDT 2014


On 2014-04-23 07:39, Moore, Jim wrote:
> Last night we had a whole series of these probes.  The packets were
> addressed to UDP port 53 but contained nothing but HTTP headers, like
> so:
>
> GET / HTTP/1.1
> Host: www
>
> It's not clear to me what the prober is trying to accomplish.  The 
> alert
> triggered has no documentation, refers only to RFC 2616 (HTTP 1.1), 
> and
> I haven't found anything elsewhere about this type of probe either.
> Anybody have any ideas?
>
> Thanks!
> Jim Moore

I think the prober is looking for a response to see if someone is 
running services on non-standard ports.  I see junk like this on my 
email system:

Apr 16 06:56:48 gateway postfix/smtpd[3124]: warning: non-SMTP command 
from 1-163-152-248.dynamic.hinet.net[1.163.152.248]: GET 
http://www.scanproxy.com:80/p-25.html HTTP/1.0
Apr 20 12:57:37 gateway postfix/smtpd[7623]: warning: non-SMTP command 
from unknown[112.4.159.220]: GET / HTTP/1.1

Good intel to have.

James




More information about the Snort-users mailing list