false-positive: DNS Tunneling

m.rainer · ‎10-31-2005

Hello,

We have a problem regarding signature 6066. We got immens numbers of false-positives. The description of that signature tells:

This signature fires upon detecting an excessively large number of DNS TXT record lookups originating from a single source. This may indicate the presence of a DNS tunneling tool in operation

I turned on "trigger packets" for that signtature and found out that the DNS servers are communicating normal and the TXT record only shows some "standard query TXT [domain].com (I don't want to write down the real domain here!)

So in my opinion it's a false positiv. But how can I tune that signature not to see any false poitives?

Any idea?

Thanks a lot

Markus

travis-dennis_2 · ‎10-31-2005

If you are sure that it is a false positive you can modify whatever you are using to monitor the IPS to ignore that signature when the source IP is that particular one. You don't have to turn it off globally.

Hope this helps.

Please remember to rate all replies

m.rainer · ‎10-31-2005

Hello,

Yes, I know how to tune signatures.

The problem here is, DNS tunneling uses the "normal" DNS servers. So I can filter signature 6066 for src or dst of my DNS servers but than I will never see any DNS tunneling again.

Any other suggestion?

Regards

Markus

m.rainer · ‎11-04-2005

Hi,

No one out there ever had problems with DNS tunneling in his/her network? How did you solve that problems?

Best regards

Markus