Monitor NXDOMAIN Unknown Answers (Failures)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Monitor NXDOMAIN Unknown Answers (Failures)

L0 Member

Does anyone know if it is possible to monitor for NXDOMAIN Unknown Answers (Failures) with PanOS 5.0 ?

Would it be a custom signature/application that needs to be created?

3 REPLIES 3

L6 Presenter

I did not hear about any function doing that.

if Nxdomain answers has a common criteria maybe....

According to the manual "DNS" is currently not available (in PANOS 5.0) as decoder for custom signatures.

If it were you would be able to create a custom signature that brings you an alert (a log entry) each time a NXDOMAIN answer is seen.

Without the decoder you can still create a custom signature based on the hex-values but then this string must be 7 chars (or something like that) and you will most likely get a bunch of false positives because this string is matched through the whole session and not just in a specific "field".

L4 Transporter

Hello Bengbrewer,

You can create a Custom Vulnerability Signature to look for the HEX values in a DNS Response header part of a packet that has the No Such Name flag (NXDOMAIN).  Below is my custom signature to do just that.

<vulnerability-threat version="6.0.0">

  <entry name="41000">

    <signature>

      <standard>

        <entry name="NXDOMAIN">

          <and-condition>

            <entry name="And Condition 1">

              <or-condition>

                <entry name="Or Condition 1">

                  <operator>

                    <pattern-match>

                      <pattern>\x81830001000000\x</pattern>

                      <context>dns-rsp-header</context>

                    </pattern-match>

                  </operator>

                </entry>

              </or-condition>

            </entry>

          </and-condition>

          <order-free>no</order-free>

          <scope>protocol-data-unit</scope>

        </entry>

      </standard>

    </signature>

    <default-action>

      <alert/>

    </default-action>

    <threatname>NXDOMAIN</threatname>

    <severity>informational</severity>

    <direction>server2client</direction>

    <affected-host>

      <client>yes</client>

      <server>yes</server>

    </affected-host>

  </entry>

</vulnerability-threat>

Hope it helps.

Kind regards,

Jeff

  • 2574 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!