Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
2496
Views
0
Helpful
2
Replies

Dns Tunnel exfiltrate data loss prevention

Go to solution
evan.chadwick1
Level 1
Level 1

‎03-21-2018 03:54 PM - edited ‎02-21-2020 07:32 AM

Is it possible for Firepower to detect data loss via dns tunnels? 

Such as what infoblocks can do?

 

Thanks in advance

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎03-21-2018 11:14 PM

There is no out-of-box solution as Infoblox works. However there are other
built-in ways to protect.

FP - Uses SI to drop traffic against malicious URLs
FP can have a DNS policy to block malicious domains

These two are updated by Cisco global databases. Also, what you can do is
to create a snort rule to look at the number of characters in domain name
and block if it crosses specific threshold which same way how infoblox
works. This is the power of snort.

For example, depending on the size of organization, you can create a rule
to drop any DNS packet with domain name more that 20-characters in the
domain name. Its uncommon to have more than 20 and you can change this
number.

An AES 128-bit key can be expressed as a hexadecimal string with 32
characters. It will require 24 characters in base64.

An AES 256-bit key can be expressed as a hexadecimal string with 64
characters. It will require 44 characters in base64.
Therefore 20 should be a good threshold. In the same snort rule you can
append a rate for example 20 times in 5 mins, etc


View solution in original post

0 Helpful
2 Replies 2

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎03-21-2018 11:14 PM

There is no out-of-box solution as Infoblox works. However there are other
built-in ways to protect.

FP - Uses SI to drop traffic against malicious URLs
FP can have a DNS policy to block malicious domains

These two are updated by Cisco global databases. Also, what you can do is
to create a snort rule to look at the number of characters in domain name
and block if it crosses specific threshold which same way how infoblox
works. This is the power of snort.

For example, depending on the size of organization, you can create a rule
to drop any DNS packet with domain name more that 20-characters in the
domain name. Its uncommon to have more than 20 and you can change this
number.

An AES 128-bit key can be expressed as a hexadecimal string with 32
characters. It will require 24 characters in base64.

An AES 256-bit key can be expressed as a hexadecimal string with 64
characters. It will require 44 characters in base64.
Therefore 20 should be a good threshold. In the same snort rule you can
append a rate for example 20 times in 5 mins, etc


0 Helpful

Go to solution
vikasgupta2k
Level 1
Level 1
In response to Mohammed al Baqari

‎02-25-2020 07:37 AM

Hi,

We are looking to implement this feature with blocking of domain-name more than 20 characters, can you give a sample config.

Thanks for your help,

Vikas

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card
li.common.scroll-to.top