is it possible to detect and furthermore block DNS TXT messages via a Threat Signature?
The goal is to disable DNS Queries regarding TXT resource records.
Not sure if the context dns-req-section does the job...
Did anyone ever try this?
Solved! Go to Solution.
You should be able to block it.
I was able to search in this vulnerability signature in the threat DB. Threat Id:- 31941 CVE:-2008-2469
Let me know if that helps.
Thanks for the quick reply! Unfortunately, this signature is not a generic TXT signature but rather addresses a specific threat which works by means of TXT records. Or at least thats my experience, otherwise I would have seen it in the threat logs.
Nevertheless, while this signature does not match, chances are that there is the possibility to write a generic signature.
Correct. A custom threat signatures can be created.
Or if you think the firewall did not capture a valid threat, you can submit a pcap from the client PC and the related traffic logs by opening a support ticket and we can hand it over to threat team for validation.
I see, makes sense... I prefer a generic solution which effectively matches all DNS TXT messages, no specific threat as such. If it helps, I can still submit a capture though.
In order to create a custom signature, do you have a working signature already or shall I submit a new case via support?
Support would not be able to assist you with the creation of custom signatures.
In order to build a signature, I would highly recommend you put your requests/inputs to dev-center of Palo Alto Networks.
When you think the traffic passing through the firewall is a threat and the threat signatures are not triggered that is when you want to contact support with the pcaps and other relevant data.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!