RegEx for specific DNS strings

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

RegEx for specific DNS strings

L2 Linker

I was working on getting Data Filtering to block specific DNS requests with no resolution.

So, I am creating a Custom Application for DNS with a Pattern matching, which is partially working.

Working strings:

Under Objects/Applications/("Added applications, DNS DDOS, DNS DDOS1, OUR DNS").

Configuration:  Category = "general-internet", Subcategory = "internet-utility", Technology = "client-server", Parent App = "dns" Risk = "3"

Signatures, Added first two (OR condition) with the following:

Context = "dns-req-section", Pattern = "ddostheinter.net" (Not sure if it is parsing the ".net" portion of this string)

Context = "dns-req-section", Pattern = "directedat.asia" (again not sure of the parsing after the period)

Set to a Security rule, and it blocks these specific DNS requests to our firewall.

So, I am attempting to set up to only ALLOW legitimate requests for OUR public services (OUR DNS), and having issues.

Context = "dns-req-section", Pattern = "ab.cdefgh.ij.us", returns error (I have obscured our legitimate DNS domain)

"-> signature -> DNS  -> and-condition -> And Condition 2 ->
or-condition -> Or Condition 1 -> operator -> pattern-match
-> pattern 'ab.cdefgh.ij.us' is invalid. pattern must be at least 7
bytes"

I have also tried several iterations, including:

'.*(ab.cdefgh.ij.us)' - returns same error as above.

'ab\.cdefgh\.ij\.us' - No error, but applying to a Security Rule, it does NOT match any traffic on this rule, although it (this DNS traffic) IS allowed in another Security Rule further down...

'.*(ab\.cdefgh\.ij\.us)' - same as above, no error, but not matching Rule.

1 ACCEPTED SOLUTION

Accepted Solutions

L2 Linker

Just wanted to close the loop on this "issue", the RegEx strings that were suggested above DO WORK, I found via Tech Support that the DEFAULT Program will Over-Ride the Custom Programs, even if the Security Rules are set correctly.

Example: We were blocking Custom DNS RegEx strings for DDOS blocking, and allowing all other DNS (Worked great)

We changed our Security Rules to ALLOW only OUR DNS, then set the DNS rule (default program) to block further down, and it blocked ALL DNS requests. This is due to the APPLICATION inspection taking place BEFORE the Security Rule processing, and with DNS (default) being blocked, it NEVER looked at the Custom DNS applications, and also ignored all the DNS security rules..... Seems kind of a broken thought/engineering process to me...

Our fix (via tech support):  Created the Custom Application to ALLOW OUR DNS, then created ANOTHER Custom Application that will match for ALL DNS requests . (Regex that looked for this information: "identifying the two bytes for number of Questions, Answers, Authority, and first byte of Additional RRs" (\x 00 01 00 00 00 00 00 \x).  We then allowed our DNS Custom Application, and blocked this new Generic DNS custom application, and at the bottom of our Security Rules allow the default DNS application. (This is now getting zero hits).

Thanks for all the assistance with this...

View solution in original post

13 REPLIES 13

L7 Applicator

Regular expressions can not be used without a basic 7-byte string first. The period is a wildcard character in a regex, so it is seeing only 2 characters then a regex value.

For your first example, you could use:

ab\.cdefgh\.ij\.us (technically you only need the first 7 bytes, or ab\.cdef to satisfy the requirement, but it will be a much broader match)

That should allow it to work similarly to your first two working domains.

Hope this helps,

Greg

L3 Networker

welcome in the 7 bytes world 🙂

gwesson has right your pattern should works fine with   

Pattern = "ddostheinter\.net"

Pattern = "directedat\.asia"

L2 Linker

I am assuming the patterns for the Malware blocking are working, as the period (.) would be found as a wildcard, so the original string would still be read correctly for these, even though the "period/wildcard" could be any character.

As for our DNS domain string, I think there may be an issue with the way I set up the Custom Application, or the Security rule, as one of the configuration attempts (and I do NOT remember which one), was hitting this rule for our inbound WEB traffic requests. I am somewhat confused as this rule was cloned from the MalWare rule, and only the text of the RegEx string was changed. (and traffic allowed on the Security Rule.)

The Custom Application is set up as follows:

Category = "general-internet", Subcategory = "internet-utility", Technology = "client-server", Parent App = "dns" Risk = "3"

Signature = Condition = "OR condition 1", Operator = "pattern-match", Context = "dns-req-section", Pattern = "ab\.cdefgh.ij.us" (This is the latest iteration I am trying, I don't really care about the "period/wildcard" issues near the end of the string at this time...)

I also tried changing the Context to "unknown-req-tcp-payload" and "unknown-req-udp-payload" with no change of status.


I have our Security rule set up for ANY request to EITHER of our two DNS servers, for ANY traffic, with the Custom Application for above.

(again, this Security rule was cloned from the Malware Security rule, then modified for the string and allowing traffic)


Any other suggestions?

L2 Linker

I am convinced that ANY pattern matching that includes any wildcards before the 7 character minimum limit does NOT work, even with a valid pattern. I would appreciate ANYONE testing to confirm this.

Set up a Custom Application that mirrors DNS, then add a pattern matching for a specific DNS pattern with few leading characters ("fs.fed.us" maybe?) apply a Security Rule with this application, then run a DNS query to your DNS servers for this domain.

I believe that even with a valid application pattern, and security rule, it will NOT get any hits on the rule... then change that pattern to one that has more than 7 leading characters before any wildcard/periods, it will probably work.

Both of our blocking pattern matches work, because they have over 7 characters before the first "wildcard" period, but our third rule that requires the literal backslash has NEVER worked (I believe that the one random working web DNS request was a misconfiguration elsewhere).

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!