Signature
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"NF - POLICY - Covert iodine tunnel request"; content:"|01 00 00 01 00 00 00 00 00 01|"; offset:2; depth:10; content:"|00 00 29 10 00 00 00 80 00 00 00|"; detection_filter:track by_src, count 1, seconds 300; metadata:07122014; reference:url,networkforensic.dk; classtype:policy-violation; sid:5002024; rev:1;)
Recommendations/Investigative actions
Set up firewall rules to restrict DNS traffic to authorized DNS servers and block DNS traffic to external or untrusted DNS servers. This helps prevent covert tunnels from being established over DNS. Authorize the connection. If the connection was approved - archive and baseline the rule. If not - check the connection and investigate the file and the relevant IP address.
Relations to other alerts