Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

false-positive: DNS Tunneling

Hello,

We have a problem regarding signature 6066. We got immens numbers of false-positives. The description of that signature tells:

This signature fires upon detecting an excessively large number of DNS TXT record lookups originating from a single source. This may indicate the presence of a DNS tunneling tool in operation

I turned on "trigger packets" for that signtature and found out that the DNS servers are communicating normal and the TXT record only shows some "standard query TXT [domain].com (I don't want to write down the real domain here!)

So in my opinion it's a false positiv. But how can I tune that signature not to see any false poitives?

Any idea?

Thanks a lot

Markus

3 REPLIES

Re: false-positive: DNS Tunneling

If you are sure that it is a false positive you can modify whatever you are using to monitor the IPS to ignore that signature when the source IP is that particular one. You don't have to turn it off globally.

Hope this helps.

Please remember to rate all replies

New Member

Re: false-positive: DNS Tunneling

Hello,

Yes, I know how to tune signatures.

The problem here is, DNS tunneling uses the "normal" DNS servers. So I can filter signature 6066 for src or dst of my DNS servers but than I will never see any DNS tunneling again.

Any other suggestion?

Regards

Markus

New Member

Re: false-positive: DNS Tunneling

Hi,

No one out there ever had problems with DNS tunneling in his/her network? How did you solve that problems?

Best regards

Markus

145
Views
0
Helpful
3
Replies
CreatePlease login to create content