[Snort-users] PROTOCOL-DNS Malformed DNS query with HTTP content. What's the angle?

Eric G eric at ...15503...
Wed Apr 23 17:20:04 EDT 2014


On Apr 23, 2014 2:17 PM, "Y M" <snort at ...15979...> wrote:
>
> Jim and Eric,
>
> It was me who wrote this rule. Sometime back at november 2013 I was
looking at a full packet capture and found couple of weird DNS probes, the
http one was one of them. Unfortunately I have no specific context for the
traffic except that there was lots of "weird" traffic. Sorry.
>

Thanks! Finding the actual rule submitter is just what I was hoping for.

It is interesting! Why in the world some random Chinese IPs are trying to
throw HTTP GETs at UDP 53 makes no sense to me either, but I have the pcaps
to prove you weren't crazy when you wrote that rule!

Thanks,
--
Eric
http://www.linkedin.com/in/ericgearhart
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140423/70ad797c/attachment.html>


More information about the Snort-users mailing list