cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1888
Views
0
Helpful
2
Replies

Dns Tunnel exfiltrate data loss prevention

evan.chadwick1
Beginner
Beginner

Is it possible for Firepower to detect data loss via dns tunnels? 

Such as what infoblocks can do?

 

Thanks in advance

1 Accepted Solution

Accepted Solutions

Mohammed al Baqari
VIP Advisor VIP Advisor
VIP Advisor
There is no out-of-box solution as Infoblox works. However there are other
built-in ways to protect.

FP - Uses SI to drop traffic against malicious URLs
FP can have a DNS policy to block malicious domains

These two are updated by Cisco global databases. Also, what you can do is
to create a snort rule to look at the number of characters in domain name
and block if it crosses specific threshold which same way how infoblox
works. This is the power of snort.

For example, depending on the size of organization, you can create a rule
to drop any DNS packet with domain name more that 20-characters in the
domain name. Its uncommon to have more than 20 and you can change this
number.

An AES 128-bit key can be expressed as a hexadecimal string with 32
characters. It will require 24 characters in base64.

An AES 256-bit key can be expressed as a hexadecimal string with 64
characters. It will require 44 characters in base64.
Therefore 20 should be a good threshold. In the same snort rule you can
append a rate for example 20 times in 5 mins, etc


View solution in original post

2 Replies 2

Mohammed al Baqari
VIP Advisor VIP Advisor
VIP Advisor
There is no out-of-box solution as Infoblox works. However there are other
built-in ways to protect.

FP - Uses SI to drop traffic against malicious URLs
FP can have a DNS policy to block malicious domains

These two are updated by Cisco global databases. Also, what you can do is
to create a snort rule to look at the number of characters in domain name
and block if it crosses specific threshold which same way how infoblox
works. This is the power of snort.

For example, depending on the size of organization, you can create a rule
to drop any DNS packet with domain name more that 20-characters in the
domain name. Its uncommon to have more than 20 and you can change this
number.

An AES 128-bit key can be expressed as a hexadecimal string with 32
characters. It will require 24 characters in base64.

An AES 256-bit key can be expressed as a hexadecimal string with 64
characters. It will require 44 characters in base64.
Therefore 20 should be a good threshold. In the same snort rule you can
append a rate for example 20 times in 5 mins, etc


Hi,

We are looking to implement this feature with blocking of domain-name more than 20 characters, can you give a sample config.

Thanks for your help,

Vikas