About scottlsattler

I am not talking about the typical DNS tunneling. There are 20 clients out there that can do dns tunneling. I am talking about using the DNS protocol itself for command and control and data exfiltration, doesn't matter if you proxy or send up to root or your ISP. I see it all the time at clients, It would be nice if there was a signature that could detect (Without me continuing to write them) large TXT fields or protocol violations.....etc etc.. ... View more

DNS for ex filtration is catching many of the vendors off guard. Specialty vendors like Damballa do a fairly decent job. Don't expect a firewall vendor to invest the effort to track this type of ex filtration and CnC activity any time soon. You will find the typical signatures for tunneling protocols over DNS which are relatively easy to spot and so are the Gen 3/4 version of the DNS DGA malware that is out in the public. However malware that uses the additional dns fields to exfiltrate data or for CNC activity has not been looked at or addressed by any vendor that I know off. I know many of security folk who simply don't log or look at DNS traffic making it an ideal avenue for data exfiltration ... View more

If your looking for DLP get Vontu.......DLP "lite" is what you have here similiar to checkpoint......if you like being flooded with false positives, by all means..... I do have a question though on file content....I am writing some Arcsight use cases and tracking which file names are transfered over which application protocol by user. I do not seem to be able to find a document which outlines the signature matches for the various documents. (such as File microsoft MSOFFICE(52033) or a File Microsoft Office 2007 xls document 52024) etc etc..... I built some nice use cases with fireeye to pickup on the .jar files coming in but since this client doesnt have a dlp solution (yet) I do want to give an idea of what type of file names are leaving the perimeter to give them a little "boost" in acquiring DLP capability. Thanks ... View more