Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1902
Views
0
Helpful
0
Replies

FTD 6.2.3 is not detecting DNS tunneling with DNSCAT2

nws_read
Level 1
Level 1

‎08-30-2019 07:10 AM - edited ‎02-21-2020 09:26 AM

Hi all,

I can't seem to find a good intrusion rule to detect DNSCAT2 tunneling traffic.

 

I've set up a working DNSCAT2 tunnel, and copied all DNS traffic with a SPAN port to a passive interface on our FTD.

Then created a dedicated rule with application "DNS" and a dedicated intrusion profile with all DNS tunneling detection rules I could find. (refer to picture).

I see the DNS traffic appearing in the connection events, and they pass via the correct rule with the dedicated intrusion profile on it.

 

However, the only rule that triggers is 30881 - dns request with long host name segment - possible data exfiltration event.

Unfortunately this rule is not very useful for detecting DNS tunneling, because we see it also triggers for the typically big cloud dns-names you see nowadays.

 

Does anyone know a good way to detect dns tunneling with the FTD?

 

DNS_Tunnel_intrusion_profile.JPG

 

edit:

and example of a dnscat2 tunnel

DNSCAT2_example_traffic.JPG

 

Best Regards,
Joeri

1 person had this problem
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card