07-22-2015 06:29 AM
I'm trying to create a custom signature to block iodine usage of DNS.
while doing a packet capture on it i spotted a returning set of values in the hex that would allow me to capture this traffic.
but i am not experienced enough to get this into an App-ID and am looking for help.
as can be seen below in the screenshot my goal would be to capture on the query (udp/53) to block the initial setup (client, server based) of the DNS tunneling.
the "Type: NULL" and "Class: IN" are always the same giving a hex string of "00 0a 00 01" in every data packet used by iodine.
would there be a way to configure this into a App-ID?
thank you for the support,
07-23-2015 09:04 AM
Hi - Iodine activity should be covered by a couple of items already: 1. the application 'tcp-over-dns' (Application Research Center) and 2. A threat ID to detect additional TCP-over-DNS evasion (https://threatvault.paloaltonetworks.com/Home/ThreatDetail/37518). Please try including these in the test ruleset and look for triggers against these initially.
07-26-2015 11:19 PM
indeed tcp-over-dns should capture these and it does once the stream is generating packets that are out of size for dns queries, i have this blocked by a rule.
However if the iodine data stays within the field length of the host name field, therefor not generating additional (truncated) data, the PAN-OS will just see it as dns and allow it to flow out.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!