This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
About BastiaanBoutmans
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About BastiaanBoutmans
08-20-2015
2Posts
0Likes
0Solutions
Aug 20, 2015Last Visited
User
Activity
User
Profile
Latest posts by BastiaanBoutmans
| Subject | Views | Posted |
|---|---|---|
| 2415 | 07-26-2015 11:19 PM | |
| 2461 | 07-22-2015 06:29 AM |
User Badges
Community Statistics
| Member Since | 07-22-2015 06:14 AM |
| Date Last Visited | 08-20-2015 06:46 AM |
| Posts | 2 |
07-26-2015
11:19 PM
Hi Goku123, indeed tcp-over-dns should capture these and it does once the stream is generating packets that are out of size for dns queries, i have this blocked by a rule. However if the iodine data stays within the field length of the host name field, therefor not generating additional (truncated) data, the PAN-OS will just see it as dns and allow it to flow out.
... View more
07-22-2015
06:29 AM
Hi All, I'm trying to create a custom signature to block iodine usage of DNS. while doing a packet capture on it i spotted a returning set of values in the hex that would allow me to capture this traffic. but i am not experienced enough to get this into an App-ID and am looking for help. as can be seen below in the screenshot my goal would be to capture on the query (udp/53) to block the initial setup (client, server based) of the DNS tunneling. the "Type: NULL" and "Class: IN" are always the same giving a hex string of "00 0a 00 01" in every data packet used by iodine. would there be a way to configure this into a App-ID? thank you for the support, Bas.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
08-20-2015
06:46 AM
|
Latest Tags
No tags yet
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks