- This signature trips when the sensor sees an outbound DNS request over port 53 TCP that exceeds a certain size. This is seen in Trojans that utilize the less restrictive channel of port 53 to perform covert communication between an infected host and CnC server.
- DNS Port 53
Known False Positive Indicators
- o-o.myaddr.l.google.com (Which is a DNS query that will return the requesters own IP, used by applications for the discovery of one's own public IP)
TROJAN Large DNS Query possible covert channel
- Any with a payload of abnormal size.