10-03-2012 12:33 AM
is it possible to detect and furthermore block DNS TXT messages via a Threat Signature?
The goal is to disable DNS Queries regarding TXT resource records.
Not sure if the context dns-req-section does the job...
Did anyone ever try this?
Thanks!
Stefan
10-03-2012 01:21 AM
Stefan,
Support would not be able to assist you with the creation of custom signatures.
In order to build a signature, I would highly recommend you put your requests/inputs to dev-center of Palo Alto Networks.
https://live.paloaltonetworks.com/community/devcenter
When you think the traffic passing through the firewall is a threat and the threat signatures are not triggered that is when you want to contact support with the pcaps and other relevant data.
Regards
10-03-2012 12:44 AM
Hi Stefan,
You should be able to block it.
I was able to search in this vulnerability signature in the threat DB. Threat Id:- 31941 CVE:-2008-2469
https://threatvault.paloaltonetworks.com/
Let me know if that helps.
Regards
Parth
10-03-2012 12:50 AM
Thanks for the quick reply! Unfortunately, this signature is not a generic TXT signature but rather addresses a specific threat which works by means of TXT records. Or at least thats my experience, otherwise I would have seen it in the threat logs.
Nevertheless, while this signature does not match, chances are that there is the possibility to write a generic signature.
BR
Stefan
10-03-2012 12:53 AM
I think Parth meant since there is a signature regarding DNS TXT you should be able to create a custom one aswell.
10-03-2012 12:59 AM
Correct. A custom threat signatures can be created.
Or if you think the firewall did not capture a valid threat, you can submit a pcap from the client PC and the related traffic logs by opening a support ticket and we can hand it over to threat team for validation.
Regards
Parth
10-03-2012 01:14 AM
I see, makes sense... I prefer a generic solution which effectively matches all DNS TXT messages, no specific threat as such. If it helps, I can still submit a capture though.
In order to create a custom signature, do you have a working signature already or shall I submit a new case via support?
thanks,
S
10-03-2012 01:21 AM
Stefan,
Support would not be able to assist you with the creation of custom signatures.
In order to build a signature, I would highly recommend you put your requests/inputs to dev-center of Palo Alto Networks.
https://live.paloaltonetworks.com/community/devcenter
When you think the traffic passing through the firewall is a threat and the threat signatures are not triggered that is when you want to contact support with the pcaps and other relevant data.
Regards
10-03-2012 01:43 AM
However you should be able to contact local support (the company you bought the PA stuff from) or your sales engineer at PA to get assisted.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
