https://community.cisco.com/t5/network-security/false-positive-dns-tunneling/m-p/471850#M95195 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P>Yes, I know how to tune signatures. </P><P>The problem here is, DNS tunneling uses the "normal" DNS servers. So I can filter signature 6066 for src or dst of my DNS servers but than I will never see any DNS tunneling again. </P><P>Any other suggestion?</P><P></P><P>Regards</P><P>Markus</P><P></P></BODY></HTML> Mon, 31 Oct 2005 15:01:16 GMT m.rainer 2005-10-31T15:01:16Z https://community.cisco.com/t5/network-security/false-positive-dns-tunneling/m-p/471848#M95184 <P>Hello,</P><P>We have a problem regarding signature 6066. We got immens numbers of false-positives. The description of that signature tells:</P><P>This signature fires upon detecting an excessively large number of DNS TXT record lookups originating from a single source. This may indicate the presence of a DNS tunneling tool in operation</P><P></P><P>I turned on "trigger packets" for that signtature and found out that the DNS servers are communicating normal and the TXT record only shows some "standard query TXT [domain].com (I don't want to write down the real domain here!) </P><P>So in my opinion it's a false positiv. But how can I tune that signature not to see any false poitives? </P><P>Any idea?</P><P></P><P>Thanks a lot</P><P>Markus</P> Sun, 10 Mar 2019 09:43:28 GMT https://community.cisco.com/t5/network-security/false-positive-dns-tunneling/m-p/471848#M95184 m.rainer 2019-03-10T09:43:28Z https://community.cisco.com/t5/network-security/false-positive-dns-tunneling/m-p/471849#M95190 <HTML><HEAD></HEAD><BODY><P>If you are sure that it is a false positive you can modify whatever you are using to monitor the IPS to ignore that signature when the source IP is that particular one. You don't have to turn it off globally.</P><P></P><P>Hope this helps.</P><P></P><P></P><P>Please remember to rate all replies</P></BODY></HTML> Mon, 31 Oct 2005 13:43:13 GMT https://community.cisco.com/t5/network-security/false-positive-dns-tunneling/m-p/471849#M95190 travis-dennis_2 2005-10-31T13:43:13Z https://community.cisco.com/t5/network-security/false-positive-dns-tunneling/m-p/471850#M95195 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P>Yes, I know how to tune signatures. </P><P>The problem here is, DNS tunneling uses the "normal" DNS servers. So I can filter signature 6066 for src or dst of my DNS servers but than I will never see any DNS tunneling again. </P><P>Any other suggestion?</P><P></P><P>Regards</P><P>Markus</P><P></P></BODY></HTML> Mon, 31 Oct 2005 15:01:16 GMT https://community.cisco.com/t5/network-security/false-positive-dns-tunneling/m-p/471850#M95195 m.rainer 2005-10-31T15:01:16Z https://community.cisco.com/t5/network-security/false-positive-dns-tunneling/m-p/471851#M95199 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>No one out there ever had problems with DNS tunneling in his/her network? How did you solve that problems?</P><P>Best regards</P><P>Markus</P></BODY></HTML> Fri, 04 Nov 2005 08:06:24 GMT https://community.cisco.com/t5/network-security/false-positive-dns-tunneling/m-p/471851#M95199 m.rainer 2005-11-04T08:06:24Z