I'd like some help creating a custom threat signature that would would detect/block DNS TXT requests similar to threat signature ID:34842 which detects DNS ANY Request.
The goal is to disable DNS Queries regarding TXT resource records from our LAN to the untrust network. We had an internal security audit done where they were able to tunnel out through DNS TXT records using a custom malware agent. This agent encoded all of it's TCP using base64 in proper DNS TXT records. I'd like to be able to block such attacks by being able to detect DNS TXT Request and block them, permitting only our SMTP servers to do such lookups.
Can anyone help me with building the Custom threat signature?
Do you have a packet capture of the DNS TXT request? That's going to be the first place to start when writing a custom signature.
I do have packet captures but they would only be helpful if I was trying to write a rule matching specific traffic patterns of the payload within the DNS TXT request which I'm not. Since so many tunneling tools exploit DNS TXT records using different encoding techniques, each would have different patterns so I'm just looking to create a signature that I can use detect and block all DNS TXT requests. The signature I'd like to create would be similar to threat signature ID:34842 which detects DNS ANY Request regardless if the payload of the ANY request.
Have you tried to block the tcp-over-dns application id? The AppID description says that "This application identifies traffic from the following tools, tcp-over-dns, dns2tcp, Iodine, Heyoka, OzymanDNS, and NSTX."
We block that by default but the technique I described wont get caught by them as the traffic isn't consistent with what it's looking for to identify those applications.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!