This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Monitor NXDOMAIN Unknown Answers (Failures)

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Monitor NXDOMAIN Unknown Answers (Failures)

bengbrewer
L0 Member

‎05-05-2013 06:32 PM

Does anyone know if it is possible to monitor for NXDOMAIN Unknown Answers (Failures) with PanOS 5.0 ?

Would it be a custom signature/application that needs to be created?

0 Likes Likes
3 REPLIES 3

panos
L6 Presenter

‎06-08-2013 07:36 PM

I did not hear about any function doing that.

if Nxdomain answers has a common criteria maybe....

0 Likes Likes

mikand
L6 Presenter
In response to panos

‎06-09-2013 11:54 PM

According to the manual "DNS" is currently not available (in PANOS 5.0) as decoder for custom signatures.

If it were you would be able to create a custom signature that brings you an alert (a log entry) each time a NXDOMAIN answer is seen.

Without the decoder you can still create a custom signature based on the hex-values but then this string must be 7 chars (or something like that) and you will most likely get a bunch of false positives because this string is matched through the whole session and not just in a specific "field".

0 Likes Likes

jwolach
L4 Transporter

‎06-18-2014 04:16 PM

Hello Bengbrewer,

You can create a Custom Vulnerability Signature to look for the HEX values in a DNS Response header part of a packet that has the No Such Name flag (NXDOMAIN).  Below is my custom signature to do just that.

<vulnerability-threat version="6.0.0">

  <entry name="41000">

    <signature>

      <standard>

        <entry name="NXDOMAIN">

          <and-condition>

            <entry name="And Condition 1">

              <or-condition>

                <entry name="Or Condition 1">

                  <operator>

                    <pattern-match>

                      <pattern>\x81830001000000\x</pattern>

                      <context>dns-rsp-header</context>

                    </pattern-match>

                  </operator>

                </entry>

              </or-condition>

            </entry>

          </and-condition>

          <order-free>no</order-free>

          <scope>protocol-data-unit</scope>

        </entry>

      </standard>

    </signature>

    <default-action>

      <alert/>

    </default-action>

    <threatname>NXDOMAIN</threatname>

    <severity>informational</severity>

    <direction>server2client</direction>

    <affected-host>

      <client>yes</client>

      <server>yes</server>

    </affected-host>

  </entry>

</vulnerability-threat>

Hope it helps.

Kind regards,

Jeff

  • 2569 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks