How to detect DNS TXT messages

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to detect DNS TXT messages

L1 Bithead

is it possible to detect and furthermore block DNS TXT messages via a Threat Signature?

The goal is to disable DNS Queries regarding TXT resource records.

Not sure if the context dns-req-section does the job...

Did anyone ever try this?

Thanks!

Stefan

1 accepted solution

Accepted Solutions

Stefan,

Support would not be able to assist you with the creation of custom signatures.

In order to build a signature, I would highly recommend you put your requests/inputs to dev-center of Palo Alto Networks.

https://live.paloaltonetworks.com/community/devcenter

When you think the traffic passing through the firewall is a threat and the threat signatures are not triggered that is when you want to contact support with the pcaps and other relevant data.

Regards

View solution in original post

7 REPLIES 7

L4 Transporter

Hi Stefan,

You should be able to block it.

I was able to search in this vulnerability signature in the threat DB.   Threat Id:- 31941  CVE:-2008-2469

https://threatvault.paloaltonetworks.com/

dns-txt.PNG

Let me know if that helps.

Regards

Parth

Thanks for the quick reply! Unfortunately, this signature is not a generic TXT signature but rather addresses a specific threat which works by means of TXT records. Or at least thats my experience, otherwise I would have seen it in the threat logs.

Nevertheless, while this signature does not match, chances are that there is the possibility to write a generic signature.

BR

Stefan

I think Parth meant since there is a signature regarding DNS TXT you should be able to create a custom one aswell.

Correct. A custom threat signatures can be created.

Or if you think the firewall did not capture a valid threat, you can submit a pcap from the client PC and the related traffic logs by opening a support ticket and we can hand it over to threat team for validation.

Regards

Parth

I see, makes sense... I prefer a generic solution which effectively matches all DNS TXT messages, no specific threat as such. If it helps, I can still submit a capture though.

In order to create a custom signature, do you have a working signature already or shall I submit a new case via support?

thanks,

S

Stefan,

Support would not be able to assist you with the creation of custom signatures.

In order to build a signature, I would highly recommend you put your requests/inputs to dev-center of Palo Alto Networks.

https://live.paloaltonetworks.com/community/devcenter

When you think the traffic passing through the firewall is a threat and the threat signatures are not triggered that is when you want to contact support with the pcaps and other relevant data.

Regards

However you should be able to contact local support (the company you bought the PA stuff from) or your sales engineer at PA to get assisted.

  • 1 accepted solution
  • 4595 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!