cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

3079
Views
0
Helpful
5
Replies
Norix S
Beginner

Signature to detect DNS Tunneling - SourceFire

Experts,

I have gone through some recent vulnerabilities document from cisco and came to read a topic on DNS Tunneling & an Application tool that may perform such activity - DNScapy.

DNScapy is a DNS tunneling tool. The code is very light and written in Python. It includes a server and a client. The server can handle multiple clients.

DNScapy creates an SSH tunnel through DNS packets. SSH connection, SCP and proxy socks (SSH -D) are supported. You can use CNAME records or TXT records for the tunnel. The default mode is RAND, which uses randomly both CNAME and TXT.

DNScapy uses Scapy (http://www.secdev.org/scapy) for DNS packet forging and for his network automation API.

"

Now, on the preventive end, is there any Signature Cisco may want to release for IPS & Sourcefire units?

Is there any measures Cisco suggest we could implement from within the device?

Thanks!

Norix S. 

5 REPLIES 5
Matthew Franks
Cisco Employee

Hello Norix,

Thank you for your comment.  I believe this is in the wrong forum to get the proper assistance.  Please try posting this to the Snort Rule Coverage rather than AMP as this will allow the proper personnel to address the issue.

Thanks,

Matthew Franks

ENGINEER, CUSTOMER SUPPORT

FirePOWER TAC

Frank

Noted on the correction.

Thanks 

anyone care to share their thoughts on this?

I too have the same question guys, any update ?

Thanks in advance.

rick11
Beginner

Did you find any solution?
Thank you
Create
Recognize Your Peers
Content for Community-Ad