This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Custom threat signature to detect/block DNS TXT requests.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Custom threat signature to detect/block DNS TXT requests.

Intelliware
L1 Bithead

‎07-16-2015 08:56 AM

I'd like some help creating a custom threat signature that would would detect/block DNS TXT requests similar to threat signature ID:34842 which detects DNS ANY Request.

The goal is to disable DNS Queries regarding TXT resource records from our LAN to the untrust network.  We had an internal security audit done where they were able to tunnel out through DNS TXT records using a custom malware agent. This agent encoded all of it's TCP using base64 in proper DNS TXT records. I'd like to be able to block such attacks by being able to detect DNS TXT Request and block them, permitting only our SMTP servers to do such lookups.


Can anyone help me with building the Custom threat signature?

Thanks,

Fred

0 Likes Likes
4 REPLIES 4

jwolach
L4 Transporter

‎07-16-2015 01:03 PM

Hi Fred,

Do you have a packet capture of the DNS TXT request?  That's going to be the first place to start when writing a custom signature.

Thanks,

Jeff

0 Likes Likes

Intelliware
L1 Bithead
In response to jwolach

‎07-17-2015 06:59 AM

Hi Jeff,

I do have packet captures but they would only be helpful if I was trying to write a rule matching specific traffic patterns of the payload within the DNS TXT request which I'm not. Since so many tunneling tools exploit DNS TXT records using different encoding techniques, each would have different patterns so I'm just looking to create a signature that I can use  detect and block all DNS TXT requests. The signature I'd like to create would be similar to threat signature ID:34842 which detects DNS ANY Request regardless if the payload of the ANY request.

Fred

0 Likes Likes

jwolach
L4 Transporter
In response to Intelliware

‎07-22-2015 06:24 PM

Hi Fred,

Have you tried to block the tcp-over-dns application id?  The AppID description says that "This application identifies traffic from the following tools, tcp-over-dns, dns2tcp, Iodine, Heyoka, OzymanDNS, and NSTX."

Jeff

0 Likes Likes

Intelliware
L1 Bithead
In response to jwolach

‎07-23-2015 07:19 AM

Hi Jeff,

We block that by default but the technique I described wont get caught by them as the traffic isn't consistent with what it's looking for to identify those applications.

Fred

0 Likes Likes
  • 4429 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks