Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Custom Signature to detect modifications to DNS

I need to write a signature that will allow me to detect a specific modification to DNS servers. Specifically, I have a manually entered MX record that keeps 'mysteriously' disappearing. Let's suppose the the MX record is for mx.mymail.com....

How would I craft a signature to look for this information in packets destined to/from a given name server?

After I have the signature, I intend to log the subsequent traffic to decipher what is going on.

Thanks in advance!

3 REPLIES
Bronze

Re: Custom Signature to detect modifications to DNS

Hmm, I'd be really concerned if your MX records keep disappearing first of all. I'm guessing from your message that you'd like a signature to detect someone accessing an MX record for the host 'mx.mymail.com' or domain 'mymail.com', which would be more common. To do this you'll need to use a combination of STRING.UDP and event filters.

Engine STRING.UDP

Direction ToService

ServicePorts 53

RegexString \x06[Mm][Yy][Mm][Aa][Ii][Ll]\x03[Cc][Oo][Mm]\x00\x00\x0F\x00\x01

This should detect all MX queries for email destined to the 'mymail.com' domain. To limit this to specific nameservers, create some event filters for the signature with the nameservers as the destinations. For 4.x, be sure to enable the CapturePacket parameter also.

New Member

Re: Custom Signature to detect modifications to DNS

If you don't mind..... could you elaborate on the Hex portions of this regex?

Thanks!

Bronze

Re: Custom Signature to detect modifications to DNS

The \x06 and \x03 bits are the length seperators in the domain name (where the periods go) terminated by a null (\x00). The \x00\x0F means it's an MX request. The last \x00\x01 means it is an 'inet' type request.

96
Views
0
Helpful
3
Replies