Skip to main content
TuncayBAS
TuncayBAS
Explorer
October 18, 2014
Question

DNS tunneling traffic, how we can prevent with IPS.

  • October 18, 2014
  • 5 replies
  • 16806 views
below snort signatures for software iodine but did not use it on the FortiGate. How to FortiGate need to write these signatures? 
  # detects iodine covert tunnels (over DNS), send feedback on rules to merc [at] securitywire.com  alert udp any any -> any 53 (content:" |01 00 00 01 00 00 00 00 00 01|" ; offset: 2; depth: 10; content:" |00 00 29 10 00 00 00 80 00 00 00|" ;  \  	  msg: " covert iodine tunnel request" ; threshold: type limit, track by_src, count 1, seconds 300; sid: 5619500; rev: 1;)  alert udp any 53 -> any any (content: " |84 00 00 01 00 01 00 00 00 00|" ; offset: 2; depth: 10; content:" |00 00 0a 00 01|" ;  \  	  msg: " covert iodine tunnel response" ; threshold: type limit, track by_src, count 1, seconds 300; sid: 5619501; rev: 1;)

    5 replies

    Dave_Hall
    Dave_Hall
    New Member
    October 18, 2014
    Iodine is listed in app control as a proxy; I would imagine you can tailor an app sensor to block proxies over DNS traffic.
    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    October 18, 2014
    I regularily use an AppControl sensor with these DNS misusers: DNS_DNS2TCP DNS_Dynamic.Update DNS_Request.ANY.Record DNS_Zone.Transfer TCP.Over.DNS
    TuncayBAS
    TuncayBASAuthor
    Explorer
    October 18, 2014
    thanks for our answers but i want to ips signatures. app control use.
    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    October 19, 2014
    AppControl is based on the IPS engine. Any reason why you don' t want to use it? CPU load won' t be affected much.
    TuncayBAS
    TuncayBASAuthor
    Explorer
    October 20, 2014
    ready to put into place, with the IPS How do I prevent this kind of traffic. I' m doing research. I also know that blocked with application control.
    Terms & ConditionsAccessibility statement