Signature to detect DNS Tunneling - SourceFire

Norix S · ‎08-29-2016

Experts,

I have gone through some recent vulnerabilities document from cisco and came to read a topic on DNS Tunneling & an Application tool that may perform such activity - DNScapy.

"

DNScapy is a DNS tunneling tool. The code is very light and written in Python. It includes a server and a client. The server can handle multiple clients.

DNScapy creates an SSH tunnel through DNS packets. SSH connection, SCP and proxy socks (SSH -D) are supported. You can use CNAME records or TXT records for the tunnel. The default mode is RAND, which uses randomly both CNAME and TXT.

DNScapy uses Scapy (http://www.secdev.org/scapy) for DNS packet forging and for his network automation API.

"

Now, on the preventive end, is there any Signature Cisco may want to release for IPS & Sourcefire units?

Is there any measures Cisco suggest we could implement from within the device?

Thanks!

Norix S.

Matthew Franks · ‎08-30-2016

Hello Norix,

Thank you for your comment. I believe this is in the wrong forum to get the proper assistance. Please try posting this to the Snort Rule Coverage rather than AMP as this will allow the proper personnel to address the issue.

Thanks,

Matthew Franks

ENGINEER, CUSTOMER SUPPORT

FirePOWER TAC

Norix S · ‎08-30-2016

Frank

Noted on the correction.

Thanks

Norix S · ‎08-31-2016

anyone care to share their thoughts on this?

paulturn · ‎11-28-2016

I too have the same question guys, any update ?

Thanks in advance.

rick11 · ‎09-21-2017

Did you find any solution?
Thank you