Custom threat signature to detect/block DNS TXT requests.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Custom threat signature to detect/block DNS TXT requests.

L1 Bithead

I'd like some help creating a custom threat signature that would would detect/block DNS TXT requests similar to threat signature ID:34842 which detects DNS ANY Request.

The goal is to disable DNS Queries regarding TXT resource records from our LAN to the untrust network.  We had an internal security audit done where they were able to tunnel out through DNS TXT records using a custom malware agent. This agent encoded all of it's TCP using base64 in proper DNS TXT records. I'd like to be able to block such attacks by being able to detect DNS TXT Request and block them, permitting only our SMTP servers to do such lookups.


Can anyone help me with building the Custom threat signature?

Thanks,

Fred

4 REPLIES 4

L4 Transporter

Hi Fred,

Do you have a packet capture of the DNS TXT request?  That's going to be the first place to start when writing a custom signature.

Thanks,

Jeff

Hi Jeff,

I do have packet captures but they would only be helpful if I was trying to write a rule matching specific traffic patterns of the payload within the DNS TXT request which I'm not. Since so many tunneling tools exploit DNS TXT records using different encoding techniques, each would have different patterns so I'm just looking to create a signature that I can use  detect and block all DNS TXT requests. The signature I'd like to create would be similar to threat signature ID:34842 which detects DNS ANY Request regardless if the payload of the ANY request.

Fred

Hi Fred,

Have you tried to block the tcp-over-dns application id?  The AppID description says that "This application identifies traffic from the following tools, tcp-over-dns, dns2tcp, Iodine, Heyoka, OzymanDNS, and NSTX."

Jeff

Hi Jeff,

We block that by default but the technique I described wont get caught by them as the traffic isn't consistent with what it's looking for to identify those applications.

Fred

  • 4007 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!