cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
891
Views
0
Helpful
5
Replies
Beginner

Exclude DNS subdomains from a rule in SFR module (ASA5516-x)

Sorry if this is a really noobish question.. I am still fairly noobish in all things Sourcefire. I've had a poke around and a google but did not stumble on anything that stood out as usefull.

The DNS rules on our sourcefire module (asa 5516-x) are matching and dropping queries to subdomains of a higher level domain that I know is ok. Anything outside of that domain, is potentially still sus. Is there a way to tell the module to ignore a particular domain and all its subdomains for a specific rule? If not, can it be done globally for all DNS traffic?

Specifics:

Intrusion Rule: (3:31738) PROTOCOL-DNS domain not found containing random-looking hostname - possible DGA detected

Matches a DNS query like: asdfwertgsdfsdfasf.fdewqtargfasdf.net.surbl.example.com

I know surbl.example.com is used legitimately by my mail system to look up dodgy domains. Firewalls dropping the query will cause inaccurate results for the mail system.

If someone did a query for asdfwertgsdfsdfasf.fdewqtargfasdf.net I would still want the SFR module to pick up on it however.

SFR module running v5.4

Thanks in advance for your thoughts and advice.

Phill

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

You an add another content

You an add another content check to the rule in question and cause the rule not to trigger if it finds something.  In your example you would take the original rule, copy it (because you can't change rules provided by Cisco) and then add content:!"surbl.example.com";  This tells Snort only to alert if (the rest of the rule matches and) the content surbl.example.com is not present in the packet.  You would then activate the new rule and disable the existing rule SID:31738.

5 REPLIES
Cisco Employee

You an add another content

You an add another content check to the rule in question and cause the rule not to trigger if it finds something.  In your example you would take the original rule, copy it (because you can't change rules provided by Cisco) and then add content:!"surbl.example.com";  This tells Snort only to alert if (the rest of the rule matches and) the content surbl.example.com is not present in the packet.  You would then activate the new rule and disable the existing rule SID:31738.

Beginner

Ok, thanks. I can see how to

Ok, thanks. I can see how to do that.

Catch: I have  a local rule now but the gui doesnt seem to let me add an option unless I click the Save button and then I don't have time to make changes before the rule is saved and the page reloads. Prior to clicking save the 'Add Option' button and associated drop down are greyed out. UI bug? Re-creating the rule from scratch by manually replicating the detection options from the original Cisco rule (metadata: engine shared, soid 3|31738, service dns) results in an error saying I cannot save a shared object rule without metadata.

Doing this means if the Cisco rule changes, my local rule will not track. ie. I have to maintain the local rule myself, right? (Do the Cisco rules change or do they generally just add new ones?)

Cisco Employee

Don't know why it would be

Don't know why it would be greyed out.  Try a different web browser.  

Yes, once you fork a rule it does not get updated by Cisco, you have to maintain it on your own.  You can see how many times a rule has been updated by looking at the revision number.  Yes, Cisco updates rules from time-to-time.  This does not always change the actual detection behavior but you never know.

Beginner

Should have mentioned that I

Should have mentioned that I tried it in FF, Chrome and IE but had the same behaviour in all three.

Thanks for your response!

Highlighted
Beginner

Re: Exclude DNS subdomains from a rule in SFR module (ASA5516-x)

You marked this as solved, but did you ever get the rule working? Like you mentioned if the rule is copied then I can't add the content option because its greyed out. If I create the rule manually I can add both content and metadata but the rule doesn't appear to ignore the domain entered as desired. If I view the rule and hit save, I get "You cannot save a shared object rule without metadata" which indicates that the rule isn't valid somehow.

CreatePlease to create content
Ask the Expert- Webex Hybrid Services Solutions