[Snort-users] PROTOCOL-DNS Malformed DNS query with HTTP content. What's the angle?

Nick Randolph drandolph at ...1935...
Wed Apr 23 13:54:19 EDT 2014


I'll go ahead and answer both in this thread.
That rule was actually sent to us from a Snort user. They observed this
type of probe on their network and submitted a rule. It's simply suspicious
traffic. HTTP is a connectionless protocol so it's possible to implement it
over UDP but I don't know of anyone using it like that.


On Wed, Apr 23, 2014 at 10:47 AM, Eric G <eric at ...15503...> wrote:

> On Apr 23, 2014 10:04 AM, "Moore, Jim" <jmoore at ...16816...> wrote:
> >
> > Last night we had a whole series of these probes.  The packets were
> > addressed to UDP port 53 but contained nothing but HTTP headers
>
> Haha Jim and I apparently think alike... I posted the same question around
> 20 minutes before his
>
> I'm seeing the same odd traffic that has sprung up recently
>
> --
> Eric
> http://www.linkedin.com/in/ericgearhart
>
>
> ------------------------------------------------------------------------------
> Start Your Social Network Today - Download eXo Platform
> Build your Enterprise Intranet with eXo Platform Software
> Java Based Open Source Intranet - Social, Extensible, Cloud Ready
> Get Started Now And Turn Your Intranet Into A Collaboration Platform
> http://p.sf.net/sfu/ExoPlatform
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>



-- 

Nick Randolph
Research Engineer
Sourcefire, Inc.
nrandolph at ...1935...
Sourcefire.com <http://www.sourcefire.com/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140423/4b464010/attachment.html>


More information about the Snort-users mailing list