In order to cope with malicious domains set up by the DGA (Domain generation Algorithms) and with DNS tunneling I am searching the Mcafee ESM to see if it has any capabilities of calculating the Shannon Entropy value so far without any luck. Does anyone know of a method to receive said information from the ESM for analytical purposes?
Not sure you can do that with just the SIEM platform, the SIEM does support limited operators inside parser rules, but nothing so complex (using the GUI anyways) as Chi(^2) values or Shannon Entropy. However, there are other ways of detecting dns tunneling. Some of these include
Copious amounts of TXT queries to the same domain / TLD combination.
AAAA queries, if your environment is not running IPv6 (allow for more return data encoded inside IP addresses)
DNS tunneling can only transfer very small amounts of data per request, so you will see a very large burst in traffic.
Often DNS tunneling attacks will use a completely new domain that has never been seen before inside your environment. (A correlation component can assist with building these sorts of rules.)
It also possible that using only the Shannon Entropy can lead to a great deal of false positives. It also seems to avoid this detection a tunnel could just add random padding bits to lower their entropy value.
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.