https://live.paloaltonetworks.com/t5/advanced-threat-prevention/dns-tunneling/m-p/309571#M741 <P>Im trrying to detect dns tunneling with custom signatures.</P><P>i have some snort rules to begin.</P><P>&nbsp;</P><P>some of you have any strategies for this?</P> Wed, 05 Feb 2020 14:39:52 GMT Torito 2020-02-05T14:39:52Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/dns-tunneling/m-p/309571#M741 <P>Im trrying to detect dns tunneling with custom signatures.</P><P>i have some snort rules to begin.</P><P>&nbsp;</P><P>some of you have any strategies for this?</P> Wed, 05 Feb 2020 14:39:52 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/dns-tunneling/m-p/309571#M741 Torito 2020-02-05T14:39:52Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/dns-tunneling/m-p/309925#M752 <P>Hello,</P><P>Why not just have a security policy to block it at the application layer?</P><P>Just a thought.</P> Thu, 06 Feb 2020 22:51:22 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/dns-tunneling/m-p/309925#M752 OtakarKlier 2020-02-06T22:51:22Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/dns-tunneling/m-p/386595#M1077 <P>Hi<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/132415">@Torito</a>,</P><P>&nbsp;</P><P>Heave you tried converting those signatures, if you want to use them, using the IPS Signature Converter Plugin for Panorama (<A href="https://docs.paloaltonetworks.com/pan-os/u-v/custom-app-id-and-threat-signatures/ips-signature-converter-for-panorama.html)?" target="_blank">https://docs.paloaltonetworks.com/pan-os/u-v/custom-app-id-and-threat-signatures/ips-signature-converter-for-panorama.html</A>)? With what result?</P><P>Another approach would be to use DNS Security Service (<A href="https://www.paloaltonetworks.com/products/threat-detection-and-prevention/dns-security" target="_blank">https://www.paloaltonetworks.com/products/threat-detection-and-prevention/dns-security</A>).</P><P>&nbsp;</P><P>Albert</P> Thu, 18 Feb 2021 13:41:09 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/dns-tunneling/m-p/386595#M1077 CCACieszkowski 2021-02-18T13:41:09Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/dns-tunneling/m-p/386599#M1078 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/27580">@OtakarKlier</a>&nbsp;</P><P>&nbsp;</P><P>Main reason would be that dns Application Signature does not detect all tunneling and&nbsp;<SPAN>tcp-over-dns&nbsp;Application Signature covers only a small subset of tools (" (...) application identifies traffic from the following tools, tcp-over-dns, dns2tcp, Iodine, Heyoka, OzymanDNS, and NSTX.").</SPAN></P><P><SPAN>dnscat2 goes through the firewall with ease.</SPAN></P><P>&nbsp;</P><P>Albert</P> Thu, 18 Feb 2021 13:47:21 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/dns-tunneling/m-p/386599#M1078 CCACieszkowski 2021-02-18T13:47:21Z