[Emerging-Sigs] 2013075 Large DNS query and youtube,com

Dewhirst, Rob robdewhirst at gmail.com
Mon Oct 31 11:03:29 EST 2011


I could use some help interpreting what is going on here.

ET CURRENT_EVENTS Large DNS Query possible covert channel

Destination: [our.dns.server]
Source:  [some.ip.of.ours]
Type: UDP

Payload:

0000000: b3 4e 01 00 00 01 00 00 00 00 00 00 08   6c 67 61 31 35 73 33
30 08 6c 67 61 31  .N...........lga15s30.lga1
000001A: 35 73 33 31 08 6c 67 61 31 35 73 33 32   08 6c 67 61 31 35 73
33 33 08 73 6a 63  5s31.lga15s32.lga15s33.sjc
0000034: 30 37 73 31 35 08 73 6a 63 30 37 73 31   36 08 73 6a 63 30 37
73 31 37 08 73 6a  07s15.sjc07s16.sjc07s17.sj
000004E: 63 30 37 73 31 38 08 73 6a 63 30 37 73   32 30 08 73 6a 63 30
37 73 31 31 08 73  c07s18.sjc07s20.sjc07s11.s
0000068: 6a 63 30 37 73 31 32 08 73 6a 63 30 37   73 31 33 08 73 6a 63
30 37 73 31 34 08  jc07s12.sjc07s13.sjc07s14.
0000082: 73 65 61 30 33 73 30 31 08 73 65 61 30   33 73 30 32 08 73 65
61 30 39 73 30 35  sea03s01.sea03s02.sea09s05
000009C: 08 73 65 61 30 39 73 30 36 08 73 65 61   30 39 73 30 37 08 73
65 61 30 39 73 30  .sea09s06.sea09s07.sea09s0
00000B6: 38 08 73 65 61 30 39 73 30 39 08 73 65   61 30 39 73 31 30 03
6f 2d 6f 02 76 31  8.sea09s09.sea09s10.o-o.v1
00000D0: 08 6c 73 63 61 63 68 65 31 01 63 07 79   6f 75 74 75 62 65 03
63 6f 6d 00 00 01  .lscache1.c.youtube.com...
00000EA: 00 01
                   ..

Not sure about the etiquette for inquiries like this.  I googled and
found the spotify issue but nothing for youtube.


More information about the Emerging-sigs mailing list