cancel
Showing results for 
Search instead for 
Did you mean: 
epository
Level 10

HIPS Custom Signature to Catch DNS Requests to Malicious Domains

We don't log DNS requests here.

The DNS Blocking feature of Firewall is not logged centrally..but I really want to see machines trying to resolve .cn and .ru domains.

Can this be set up in HIPS to record the URL or to at least pop on these events?

I know there are HIPS rules you can configure GET requests, but I want to catch beaconing malware which is usually sending out beacons..

Does anyone have any ideas?

4 Replies
petersimmons
Level 12

Re: HIPS Custom Signature to Catch DNS Requests to Malicious Domains

You might be able to tackle this with Host IPS but you are going to have a really hard time tracking it. I would recommend doing this at a network level with a web gateway or DNS server. You say you don't track it... uh... why not? Alternatively you can probably get a lot further with some unobtrusive logging/blocking with Site Advisor. It would be much easier pursuing those methods. Hopefully one of those would save you a lot of hours.

I realize I didn't answer your question but sometimes you need the right screwdriver for that nail.

0 Kudos
McAfee Employee

Re: HIPS Custom Signature to Catch DNS Requests to Malicious Domains

Can this be set up in HIPS to record the URL or to at least pop on these events?

HIPS cannot be setup to perform this request.

I know there are HIPS rules you can configure GET requests,
These are for Host IPS signatures on IIS & Apache server GET requests; not client outbound HTTP GET requests.

0 Kudos
epository
Level 10

Re: HIPS Custom Signature to Catch DNS Requests to Malicious Domains

I have to ask because the DNS Blocking hits are not reported centrally.

Hmmm....this seems difficult to knock out.....or is it impossible?

HIPS may not be the right tool for the job, I think.

But HIPS does do packet captures

Using the Capture feature in Host Intrusion Prevention (Host IPS) creates a file on the local computer when a Host IPS signature is triggered. This file is named Firepacket#.cap (where # represents a number appended to the filename).

What are we supposed to do with those?

0 Kudos
petersimmons
Level 12

Re: HIPS Custom Signature to Catch DNS Requests to Malicious Domains

Those are only captured as part of the 19 network signatures. Our Host IPS product is primarily a tool to catch one program interfering with another through the use of APIs --- not packets. This is really the wrong tool for what you are doing.

0 Kudos