topic Re: How to detect DNS TXT messages in General Topics

How to detect DNS TXT messages

IG-Support — Wed, 03 Oct 2012 07:33:52 GMT

is it possible to detect and furthermore block DNS TXT messages via a Threat Signature?

The goal is to disable DNS Queries regarding TXT resource records.

Not sure if the context dns-req-section does the job...

Did anyone ever try this?

Thanks!

Stefan

Re: How to detect DNS TXT messages

ppatel — Wed, 03 Oct 2012 07:44:00 GMT

Hi Stefan,

You should be able to block it.

I was able to search in this vulnerability signature in the threat DB. Threat Id:- 31941 CVE:-2008-2469

https://threatvault.paloaltonetworks.com/

Let me know if that helps.

Regards

Parth

Re: How to detect DNS TXT messages

IG-Support — Wed, 03 Oct 2012 07:50:09 GMT

Thanks for the quick reply! Unfortunately, this signature is not a generic TXT signature but rather addresses a specific threat which works by means of TXT records. Or at least thats my experience, otherwise I would have seen it in the threat logs.

Nevertheless, while this signature does not match, chances are that there is the possibility to write a generic signature.

Stefan

Re: How to detect DNS TXT messages

mikand — Wed, 03 Oct 2012 07:53:07 GMT

I think Parth meant since there is a signature regarding DNS TXT you should be able to create a custom one aswell.

Re: How to detect DNS TXT messages

ppatel — Wed, 03 Oct 2012 07:59:54 GMT

Correct. A custom threat signatures can be created.

Or if you think the firewall did not capture a valid threat, you can submit a pcap from the client PC and the related traffic logs by opening a support ticket and we can hand it over to threat team for validation.

Regards

Parth

Re: How to detect DNS TXT messages

IG-Support — Wed, 03 Oct 2012 08:14:27 GMT

I see, makes sense... I prefer a generic solution which effectively matches all DNS TXT messages, no specific threat as such. If it helps, I can still submit a capture though.

In order to create a custom signature, do you have a working signature already or shall I submit a new case via support?

thanks,

Re: How to detect DNS TXT messages

ppatel — Wed, 03 Oct 2012 08:21:21 GMT

Stefan,

Support would not be able to assist you with the creation of custom signatures.

In order to build a signature, I would highly recommend you put your requests/inputs to dev-center of Palo Alto Networks.

https://live.paloaltonetworks.com/community/devcenter

When you think the traffic passing through the firewall is a threat and the threat signatures are not triggered that is when you want to contact support with the pcaps and other relevant data.

Regards

Re: How to detect DNS TXT messages

mikand — Wed, 03 Oct 2012 08:43:27 GMT

However you should be able to contact local support (the company you bought the PA stuff from) or your sales engineer at PA to get assisted.