Are DNS Blocking events logged anywhere? How can I make a specific query in order to get a report of these events?
How can I test this to see if its working?
There is also a signature in HIPS - 6042 - that also refers to a DNS Rule violation, but I am not sure exactly what it is checking.
Any way to test if Sig 6042 is working?
It would be a nice added layer of protection, but I need to see if the "DNS Blocking" events are logged, and what signature 6042 is specifically looking for.
DNS Blocking events are logged locally on HIPS clients only; no ePO events are sent to the ePO server (like other Firewall events, except for TrustedSource and Intrusion events, which are Network IPS events).
I'm not aware of how to test Signature 6042 specifically.
Can I get a more detailed description as to what signature 6042 is checking for? There is no cve article associated with it. Is it just dns requests being sent to a computer not hosting something on port 53?
We have some events here and I cant answer them and on why this signature was tripped...