Hi,
Our Intrusion Detection and Prevention is flagging the following network activity from a PC with Norton 360 as suspicious.
From the PC it is talking to 216.12.144.90, and 206.204.54.90 (sigs.symantec.com) on UDP port 53
UDP port 53 is DNS, but looking at a packet capture of the data, it is a malformed DNS packet.
Can someone provide a small explanation or documentation on why sigs.symantec.com is being contacted via UDP 53?
Just needing some verification and explanation on this behavior.
Wireshark trace output:
No. Time Source Destination Protocol Info
1 0.000000 10.184.178.144 206.204.54.90 DNS Standard query Unknown (20804) <Unknown extended label> Unknown (17233) <Unknown extended label>[Malformed Packet]
Frame 1 (66 bytes on wire, 66 bytes captured)
Ethernet II, Src: Cisco_xx:xx:00 (00:xx:xx:xx:xx:xx), Dst: Resilien_01:01:80 (00:60:ac:01:01:80)
Internet Protocol, Src: 10.184.178.144 (10.184.178.144), Dst: 206.204.54.90 (206.204.54.90)
User Datagram Protocol, Src Port: 65260 (65260), Dst Port: domain (53)
Source port: 65260 (65260)
Destination port: domain (53)
Length: 32
Checksum: 0x9685 [validation disabled]
Domain Name System (query)
[Malformed Packet: DNS]
[Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]
[Message: Malformed Packet (Exception occurred)]
[Severity level: Error]
[Group: Malformed]
Thanks!