cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2153
Views
0
Helpful
2
Replies

Dns Tunnel exfiltrate data loss prevention

evan.chadwick1
Level 1
Level 1

Is it possible for Firepower to detect data loss via dns tunnels? 

Such as what infoblocks can do?

 

Thanks in advance

1 Accepted Solution

Accepted Solutions

There is no out-of-box solution as Infoblox works. However there are other
built-in ways to protect.

FP - Uses SI to drop traffic against malicious URLs
FP can have a DNS policy to block malicious domains

These two are updated by Cisco global databases. Also, what you can do is
to create a snort rule to look at the number of characters in domain name
and block if it crosses specific threshold which same way how infoblox
works. This is the power of snort.

For example, depending on the size of organization, you can create a rule
to drop any DNS packet with domain name more that 20-characters in the
domain name. Its uncommon to have more than 20 and you can change this
number.

An AES 128-bit key can be expressed as a hexadecimal string with 32
characters. It will require 24 characters in base64.

An AES 256-bit key can be expressed as a hexadecimal string with 64
characters. It will require 44 characters in base64.
Therefore 20 should be a good threshold. In the same snort rule you can
append a rate for example 20 times in 5 mins, etc


View solution in original post

2 Replies 2

There is no out-of-box solution as Infoblox works. However there are other
built-in ways to protect.

FP - Uses SI to drop traffic against malicious URLs
FP can have a DNS policy to block malicious domains

These two are updated by Cisco global databases. Also, what you can do is
to create a snort rule to look at the number of characters in domain name
and block if it crosses specific threshold which same way how infoblox
works. This is the power of snort.

For example, depending on the size of organization, you can create a rule
to drop any DNS packet with domain name more that 20-characters in the
domain name. Its uncommon to have more than 20 and you can change this
number.

An AES 128-bit key can be expressed as a hexadecimal string with 32
characters. It will require 24 characters in base64.

An AES 256-bit key can be expressed as a hexadecimal string with 64
characters. It will require 44 characters in base64.
Therefore 20 should be a good threshold. In the same snort rule you can
append a rate for example 20 times in 5 mins, etc


Hi,

We are looking to implement this feature with blocking of domain-name more than 20 characters, can you give a sample config.

Thanks for your help,

Vikas

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: