NF – POLICY – Covert iodine tunnel request

The rule detects covert iodine tunnel requests within DNS traffic. The rule helps identify potential unauthorized or covert communication channels using iodine tunnels.

Categories:

ID Number

5002024

Signature

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"NF - POLICY - Covert iodine tunnel request"; content:"|01 00 00 01 00 00 00 00 00 01|"; offset:2; depth:10; content:"|00 00 29 10 00 00 00 80 00 00 00|"; detection_filter:track by_src, count 1, seconds 300; metadata:07122014; reference:url,networkforensic.dk; classtype:policy-violation; sid:5002024; rev:1;)

MITRE ATT&CK Technique

-

Severity

Medium

Recommendations/Investigative actions

Set up firewall rules to restrict DNS traffic to authorized DNS servers and block DNS traffic to external or untrusted DNS servers. This helps prevent covert tunnels from being established over DNS. Authorize the connection. If the connection was approved - archive and baseline the rule. If not - check the connection and investigate the file and the relevant IP address.