I have gone through some recent vulnerabilities document from cisco and came to read a topic on DNS Tunneling & an Application tool that may perform such activity - DNScapy.
DNScapy is a DNS tunneling tool. The code is very light and written in Python. It includes a server and a client. The server can handle multiple clients.
DNScapy creates an SSH tunnel through DNS packets. SSH connection, SCP and proxy socks (SSH -D) are supported. You can use CNAME records or TXT records for the tunnel. The default mode is RAND, which uses randomly both CNAME and TXT.
DNScapy uses Scapy (http://www.secdev.org/scapy) for DNS packet forging and for his network automation API.
Now, on the preventive end, is there any Signature Cisco may want to release for IPS & Sourcefire units?
Thank you for your comment. I believe this is in the wrong forum to get the proper assistance. Please try posting this to the Snort Rule Coverage rather than AMP as this will allow the proper personnel to address the issue.
ENGINEER, CUSTOMER SUPPORT