topic App-ID to trap iodine (DNS tunneling) in Automation/API Discussions

App-ID to trap iodine (DNS tunneling)

BastiaanBoutmans — Wed, 22 Jul 2015 13:29:48 GMT

Hi All,

I'm trying to create a custom signature to block iodine usage of DNS.

while doing a packet capture on it i spotted a returning set of values in the hex that would allow me to capture this traffic.

but i am not experienced enough to get this into an App-ID and am looking for help.

as can be seen below in the screenshot my goal would be to capture on the query (udp/53) to block the initial setup (client, server based) of the DNS tunneling.

the "Type: NULL" and "Class: IN" are always the same giving a hex string of "00 0a 00 01" in every data packet used by iodine.

would there be a way to configure this into a App-ID?

thank you for the support,

Bas.

Re: App-ID to trap iodine (DNS tunneling)

goku123 — Thu, 23 Jul 2015 16:04:08 GMT

Hi - Iodine activity should be covered by a couple of items already: 1. the application 'tcp-over-dns' (Application Research Center) and 2. A threat ID to detect additional TCP-over-DNS evasion (https://threatvault.paloaltonetworks.com/Home/ThreatDetail/37518). Please try including these in the test ruleset and look for triggers against these initially.

Re: App-ID to trap iodine (DNS tunneling)

BastiaanBoutmans — Mon, 27 Jul 2015 06:19:40 GMT

Hi Goku123,

indeed tcp-over-dns should capture these and it does once the stream is generating packets that are out of size for dns queries, i have this blocked by a rule.

However if the iodine data stays within the field length of the host name field, therefor not generating additional (truncated) data, the PAN-OS will just see it as dns and allow it to flow out.