application dns and action reset both

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

application dns and action reset both

Cyber Elite
Cyber Elite

 

need to understand deeply reset both action by PA for dns query in threat logs

I know PA send the tcp fin to both ends.

 

But client who is doing dns query if it does not get reply what does it shows there ?

does the client again makes query?

 

or does PA allow some traffic and drops some?

how can i fgure this out?

MP

Help the community: Like helpful comments and mark solutions.
4 accepted solutions

Accepted Solutions

Cyber Elite
Cyber Elite

@MP18,

The client makes the request a set number of times (depends on platform) and since it's not recieving a request will eventually time-out. The client can attempt to make the same query many times attempting to get a response, but it depends on the client. 

 

Generally speaking you won't really set the action to reset-both for DNS signatures; you would drop them or sinkhole the request. 

View solution in original post

L5 Sessionator

Hey @MP18

 

When using the reset-both action the behaviour is different depending on whether the protocol is UDP or TCP

 

For TCP:

A TCP-RST (reset) packet is sent to both the client and the server.

 

For UDP:

The firewall simply drops or discards the session.

 

Since DNS is UDP, in this scenario the DNS request will be dropped. From the client perspective, it would look something like a timeout or no response. It is then application dependant on whether the DNS query is attempted again.

 

Thanks,

Luke.

 

View solution in original post

@LukeBullimore,

That's what I was running into as well. 

@MP18, You might want to reach out to support and see if there is a way to re-base the signature database. Off hand I can't think of how you would go about doing so. You could also safetly exclude this signature from your threat profiles, as I pretty positive the signature should have been removed from your system. 

 

View solution in original post

@MP18,

You'll sometimes see the threats get pulled back for various reasons. Whether the threat campaign is no longer active, or if the signature was too broad and caught traffic that it wasn't designed/supposed to. 

View solution in original post

11 REPLIES 11

Cyber Elite
Cyber Elite

@MP18,

The client makes the request a set number of times (depends on platform) and since it's not recieving a request will eventually time-out. The client can attempt to make the same query many times attempting to get a response, but it depends on the client. 

 

Generally speaking you won't really set the action to reset-both for DNS signatures; you would drop them or sinkhole the request. 

it is for IDF 54122

Exim DKIM DNS Decoding Buffer Overflow Vulnerability

MP

Help the community: Like helpful comments and mark solutions.

@MP18,

Can you check your Applications and Threats version for me real quick; I'm pretty sure that 54122 was pulled a while back. 

i am running 8080-5081

MP

Help the community: Like helpful comments and mark solutions.

L5 Sessionator

Hey @MP18

 

When using the reset-both action the behaviour is different depending on whether the protocol is UDP or TCP

 

For TCP:

A TCP-RST (reset) packet is sent to both the client and the server.

 

For UDP:

The firewall simply drops or discards the session.

 

Since DNS is UDP, in this scenario the DNS request will be dropped. From the client perspective, it would look something like a timeout or no response. It is then application dependant on whether the DNS query is attempted again.

 

Thanks,

Luke.

 

@MP18,

Specific to your Threat ID you have listed, @LukeBullimore could you look at one of your firewalls and see if you have the specified threat ID? 

The ID that you've specified isn't present on any of my appliances, or a fresh VM install. I'm kind of wondering if you someone didn't get a signature "stuck" on your firewall that has since been pulled. 

Hey @BPry

 

I couldn't find that TID on any of the firewalls I checked. I'm looking at the Threat Vault for that TID and also "DNS Decoding Buffer Overflow Vulnerability" but I'm finding nothing - so I definitely think you're right in saying that this has been pulled.

 

I get emailed every time there is a new content update, and I'm not able to find anything by searching through my emails either.

@LukeBullimore,

That's what I was running into as well. 

@MP18, You might want to reach out to support and see if there is a way to re-base the signature database. Off hand I can't think of how you would go about doing so. You could also safetly exclude this signature from your threat profiles, as I pretty positive the signature should have been removed from your system. 

 

yes you are right unable to find this signature any more.

Seems it is pulled back.

 

Good to know that updates can also remove the signature if not needed any more. 

MP

Help the community: Like helpful comments and mark solutions.

@MP18,

You'll sometimes see the threats get pulled back for various reasons. Whether the threat campaign is no longer active, or if the signature was too broad and caught traffic that it wasn't designed/supposed to. 

learned something new.

Many thanks for answering the questions.

MP

Help the community: Like helpful comments and mark solutions.
  • 4 accepted solutions
  • 4323 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!