cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2557
Views
0
Helpful
5
Replies

Exclude DNS subdomains from a rule in SFR module (ASA5516-x)

Phillip Macey
Level 1
Level 1

Sorry if this is a really noobish question.. I am still fairly noobish in all things Sourcefire. I've had a poke around and a google but did not stumble on anything that stood out as usefull.

The DNS rules on our sourcefire module (asa 5516-x) are matching and dropping queries to subdomains of a higher level domain that I know is ok. Anything outside of that domain, is potentially still sus. Is there a way to tell the module to ignore a particular domain and all its subdomains for a specific rule? If not, can it be done globally for all DNS traffic?

Specifics:

Intrusion Rule: (3:31738) PROTOCOL-DNS domain not found containing random-looking hostname - possible DGA detected

Matches a DNS query like: asdfwertgsdfsdfasf.fdewqtargfasdf.net.surbl.example.com

I know surbl.example.com is used legitimately by my mail system to look up dodgy domains. Firewalls dropping the query will cause inaccurate results for the mail system.

If someone did a query for asdfwertgsdfsdfasf.fdewqtargfasdf.net I would still want the SFR module to pick up on it however.

SFR module running v5.4

Thanks in advance for your thoughts and advice.

Phill

1 Accepted Solution

Accepted Solutions

atatistc
Cisco Employee
Cisco Employee

You an add another content check to the rule in question and cause the rule not to trigger if it finds something.  In your example you would take the original rule, copy it (because you can't change rules provided by Cisco) and then add content:!"surbl.example.com";  This tells Snort only to alert if (the rest of the rule matches and) the content surbl.example.com is not present in the packet.  You would then activate the new rule and disable the existing rule SID:31738.

View solution in original post

5 Replies 5

atatistc
Cisco Employee
Cisco Employee

You an add another content check to the rule in question and cause the rule not to trigger if it finds something.  In your example you would take the original rule, copy it (because you can't change rules provided by Cisco) and then add content:!"surbl.example.com";  This tells Snort only to alert if (the rest of the rule matches and) the content surbl.example.com is not present in the packet.  You would then activate the new rule and disable the existing rule SID:31738.

Ok, thanks. I can see how to do that.

Catch: I have  a local rule now but the gui doesnt seem to let me add an option unless I click the Save button and then I don't have time to make changes before the rule is saved and the page reloads. Prior to clicking save the 'Add Option' button and associated drop down are greyed out. UI bug? Re-creating the rule from scratch by manually replicating the detection options from the original Cisco rule (metadata: engine shared, soid 3|31738, service dns) results in an error saying I cannot save a shared object rule without metadata.

Doing this means if the Cisco rule changes, my local rule will not track. ie. I have to maintain the local rule myself, right? (Do the Cisco rules change or do they generally just add new ones?)

Don't know why it would be greyed out.  Try a different web browser.  

Yes, once you fork a rule it does not get updated by Cisco, you have to maintain it on your own.  You can see how many times a rule has been updated by looking at the revision number.  Yes, Cisco updates rules from time-to-time.  This does not always change the actual detection behavior but you never know.

Should have mentioned that I tried it in FF, Chrome and IE but had the same behaviour in all three.

Thanks for your response!

Dan Coats
Level 1
Level 1

You marked this as solved, but did you ever get the rule working? Like you mentioned if the rule is copied then I can't add the content option because its greyed out. If I create the rule manually I can add both content and metadata but the rule doesn't appear to ignore the domain entered as desired. If I view the rule and hit save, I get "You cannot save a shared object rule without metadata" which indicates that the rule isn't valid somehow.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: