Description
- This signature trips when the sensor sees an outbound DNS request over port 53 TCP that exceeds a certain size. This is seen in Trojans that utilize the less restrictive channel of port 53 to perform covert communication between an infected host and CnC server.
Vector
- DNS Port 53
User-Agent
- N/A
Known False Positive Indicators
- o-o.myaddr.l.google.com (Which is a DNS query that will return the requesters own IP, used by applications for the discovery of one's own public IP)
Affected Host
- All
Classification
- Trojan
Sentinel Signature
-
TROJAN Large DNS Query possible covert channel
DNS Calls
- Any with a payload of abnormal size.
Comments
0 comments
Please sign in to leave a comment.