https://live.paloaltonetworks.com/t5/custom-signatures/detect-random-sub-domain-dns-query/m-p/73710#M44 <P>Hi Yarianto,</P> <P>&nbsp;</P> <P>I think from aspect of device OS and custom signatures you could probably craft something that would work for that purpose... you would match dns-req-section with regex pattern, but I am not sure where to start with this signature - you can ask them to give you regex of what they want to block and than test it as custom signature. I am not sure this would be my first approach for problem as you describe it, but I guess it could work, why not. What is their actual complaint, can't it be resolved on the DNS server itself?</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClOFCA0" target="_self">Here is manual</A> for custom signatures that explains dns-req-section. Note that at the end of the document you have reference to PAN-OS regex characters - it is a subset of what you would expect and there are no greedy expressions.</P> <P>&nbsp;</P> <P>Best regards</P> <P><BR />Luciano</P> Thu, 13 Jul 2023 21:38:51 GMT Lucky 2023-07-13T21:38:51Z https://live.paloaltonetworks.com/t5/custom-signatures/detect-random-sub-domain-dns-query/m-p/73523#M42 <P>Hello,</P> <P>&nbsp;</P> <P>I would like know if anyone has succesfull creating a custom signature either Custom spyware object or custom vulnerability signature to detect random sub-domain in DNS query.</P> <P>For example:</P> <P>We don't want to block <A href="http://www.yahoo.com" target="_blank">www.yahoo.com</A> or yahoo.com domain query.</P> <P>But if there are query something like abcd1234.yahoo.com, we should detect and alert using Anti-spyware profile.</P> <P>&nbsp;</P> <P>Can you recommend any solutions on how to solve this issue ?</P> <P>This is particularly happened in ISP where they need to block this kind of sub-domain query which is not exist actually and consume DNS resources.</P> <P>&nbsp;</P> <P>Regards,</P> <P>yarijanto</P> <P>&nbsp;</P> Thu, 25 Feb 2016 08:34:21 GMT https://live.paloaltonetworks.com/t5/custom-signatures/detect-random-sub-domain-dns-query/m-p/73523#M42 yarijanto 2016-02-25T08:34:21Z https://live.paloaltonetworks.com/t5/custom-signatures/detect-random-sub-domain-dns-query/m-p/73710#M44 <P>Hi Yarianto,</P> <P>&nbsp;</P> <P>I think from aspect of device OS and custom signatures you could probably craft something that would work for that purpose... you would match dns-req-section with regex pattern, but I am not sure where to start with this signature - you can ask them to give you regex of what they want to block and than test it as custom signature. I am not sure this would be my first approach for problem as you describe it, but I guess it could work, why not. What is their actual complaint, can't it be resolved on the DNS server itself?</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClOFCA0" target="_self">Here is manual</A> for custom signatures that explains dns-req-section. Note that at the end of the document you have reference to PAN-OS regex characters - it is a subset of what you would expect and there are no greedy expressions.</P> <P>&nbsp;</P> <P>Best regards</P> <P><BR />Luciano</P> Thu, 13 Jul 2023 21:38:51 GMT https://live.paloaltonetworks.com/t5/custom-signatures/detect-random-sub-domain-dns-query/m-p/73710#M44 Lucky 2023-07-13T21:38:51Z