07-05-2022 06:16 AM
I've built two signatures for DNS. One to indicate recursive lookup and not recursive lookup. When I test, the app that is evaluated first is triggered. reverse the order and the formerly 2nd app triggers. It is like the expressions are not evaluated.
Has anyone done this before?
I have a case open with paloalto about this, but it has been open for almost a year.
07-06-2022 01:01 PM
what does your signature look like?
07-18-2022 12:15 PM
I want to block the request traffic that this wireshark display filter would select:
(((dns.flags.response == 0) && (dns.flags.recdesired == 1)) && (dns.flags.opcode == 0)) && (ip.proto == 17) and only looking at port 53 traffic.
08-26-2022 02:47 PM - edited 08-26-2022 02:49 PM
Just create a 4 conditions that match a string and the specify the text.
I think that the dns request header context should do the job:
You can also match on a reqex but you will need a reqex that matches 4 strings/words and they all should be in the pact (AND &&) but maybe better just add 4 conditions joined with a ‘AND
11-22-2022 05:25 AM - edited 11-22-2022 05:31 AM
Did you manage to resolve this ? Also as a note you can do app flow debug to see if you are matching the correct app to get the idea if Palo Alto is not matching the wrong app:
Maybe try also switching between DNS UDP to TCP or vice versa as this could be related to the issue who knows (maybe TCP DNS and UDP DNS are seen differently by the palo alto device) as maybe you will need to use custom app with unknown tcp/udp context (CPU intensive just for info):
You can play also with using the Palo Alto DNS proxy feature as this may help.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
