cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

390
Views
0
Helpful
0
Replies
Kelvin00846
Beginner

FMC: How to whitelist a particular DNS request being dropped by “MALWARE-OTHER dns request with long host name segment - possible data exfiltration attempt”

Recently a particular DNS request is being dropped by the rule “MALWARE-OTHER dns request with long host name segment - possible data exfiltration attempt” and this is affecting our access to that external resource.

 

We looked over that event packet information, the dropped DNS request domain details are:
XXX- us-east-1-XXX-XXX-XXX.XXX.XXX.com: type A, class IN
Name: XXX- us-east-1-XXX-XXX-XXX.XXX.XXX.com
Type: A (Host address)
Class: IN (0x0001)

 

In this connection, we wanted to whitelist only this particular DNS request: XXX- us-east-1-XXX-XXX-XXX.XXX.XXX.com by:

 

Adding an Access Control Policy:
Access Control Policy#1 – URLs: XXX- us-east-1-XXX-XXX-XXX.XXX.XXX.com; Action: Allow (Inspection: Intrusion Policy #1)

 

In the "Intrusion Policy":
Intrusion Policy #1 - Drop when inline: No; Status: Used by 1 access control policy (used by Access Control Policy #1)

 

However, this DNS request is still being dropped despite the access control policy. Could anyone advise what went wrong.

0 REPLIES 0
Content for Community-Ad