https://community.cisco.com/t5/network-security/signature-to-detect-dns-tunneling-sourcefire/m-p/2971177#M925638 <P>Hello Norix,</P> <P></P> <P>Thank you for your comment. &nbsp;I believe this is in the wrong forum to get the proper assistance. &nbsp;Please try posting this to the <A href="https://supportforums.cisco.com/community/12244781/snort-rule-coverage" target="_blank">Snort Rule Coverage</A> rather than AMP as this will allow the proper personnel to address the issue.</P> <P></P> <P>Thanks,</P> <P>Matthew Franks</P> <P>ENGINEER, CUSTOMER SUPPORT</P> <P>FirePOWER TAC</P> Tue, 30 Aug 2016 14:04:47 GMT Matthew Franks 2016-08-30T14:04:47Z https://community.cisco.com/t5/network-security/signature-to-detect-dns-tunneling-sourcefire/m-p/2971176#M925637 <P>Experts,</P> <P></P> <P>I have gone through some recent vulnerabilities document from cisco and came to read a topic on DNS Tunneling &amp; an Application tool that may perform such activity - DNScapy.</P> <P></P> <P>"&nbsp;</P> <P>DNScapy is a DNS tunneling tool. The code is very light and written in Python. It includes a server and a client. The server can handle multiple clients.</P> <P>DNScapy creates an SSH tunnel through DNS packets. SSH connection, SCP and proxy socks (SSH -D) are supported. You can use CNAME records or TXT records for the tunnel. The default mode is RAND, which uses randomly both CNAME and TXT.</P> <P>DNScapy uses Scapy (<A href="http://www.secdev.org/scapy" rel="nofollow" target="_blank">http://www.secdev.org/scapy</A>) for DNS packet forging and for his network automation API.</P> <P></P> <P>"</P> <P></P> <P>Now, on the preventive end, is there any Signature Cisco may want to release for IPS &amp; Sourcefire units?</P> <P><G class="gr_ gr_45 gr-alert gr_gramm gr_run_anim Grammar multiReplace" id="45" data-gr-id="45">Is</G> there any measures Cisco suggest we could implement from within the device?</P> <P></P> <P>Thanks!</P> <P>Norix S.&nbsp;</P> <P></P> <P></P> Fri, 21 Feb 2020 13:54:27 GMT https://community.cisco.com/t5/network-security/signature-to-detect-dns-tunneling-sourcefire/m-p/2971176#M925637 Norix S 2020-02-21T13:54:27Z https://community.cisco.com/t5/network-security/signature-to-detect-dns-tunneling-sourcefire/m-p/2971177#M925638 <P>Hello Norix,</P> <P></P> <P>Thank you for your comment. &nbsp;I believe this is in the wrong forum to get the proper assistance. &nbsp;Please try posting this to the <A href="https://supportforums.cisco.com/community/12244781/snort-rule-coverage" target="_blank">Snort Rule Coverage</A> rather than AMP as this will allow the proper personnel to address the issue.</P> <P></P> <P>Thanks,</P> <P>Matthew Franks</P> <P>ENGINEER, CUSTOMER SUPPORT</P> <P>FirePOWER TAC</P> Tue, 30 Aug 2016 14:04:47 GMT https://community.cisco.com/t5/network-security/signature-to-detect-dns-tunneling-sourcefire/m-p/2971177#M925638 Matthew Franks 2016-08-30T14:04:47Z https://community.cisco.com/t5/network-security/signature-to-detect-dns-tunneling-sourcefire/m-p/2971178#M925639 <P>Frank</P> <P></P> <P>Noted on the correction.</P> <P></P> <P>Thanks&nbsp;</P> Tue, 30 Aug 2016 23:58:36 GMT https://community.cisco.com/t5/network-security/signature-to-detect-dns-tunneling-sourcefire/m-p/2971178#M925639 Norix S 2016-08-30T23:58:36Z https://community.cisco.com/t5/network-security/signature-to-detect-dns-tunneling-sourcefire/m-p/2971179#M925640 <P>anyone care to share their thoughts on this?</P> Thu, 01 Sep 2016 03:03:21 GMT https://community.cisco.com/t5/network-security/signature-to-detect-dns-tunneling-sourcefire/m-p/2971179#M925640 Norix S 2016-09-01T03:03:21Z https://community.cisco.com/t5/network-security/signature-to-detect-dns-tunneling-sourcefire/m-p/2971180#M925641 <P>I too have the same question guys, any update ?</P> <P>Thanks in advance.</P> Mon, 28 Nov 2016 10:29:49 GMT https://community.cisco.com/t5/network-security/signature-to-detect-dns-tunneling-sourcefire/m-p/2971180#M925641 paulturn 2016-11-28T10:29:49Z https://community.cisco.com/t5/network-security/signature-to-detect-dns-tunneling-sourcefire/m-p/3187312#M925642 Did you find any solution?<BR />Thank you Thu, 21 Sep 2017 12:15:41 GMT https://community.cisco.com/t5/network-security/signature-to-detect-dns-tunneling-sourcefire/m-p/3187312#M925642 rick11 2017-09-21T12:15:41Z