Signature Detail

Short Name	DNS:AUDIT:UNASSIGNED-OPCODE
Severity	High
Recommended	Yes
Recommended Action	Drop
Category	DNS
Keywords	KAZY BotNet C&C
Release Date	2012/05/10
Update Number	2133
Supported Platforms	di-5.3+, idp-4.0+, isg-3.0+, j-series-9.5+, mx-9.4+, srx-9.2+, srx-branch-9.4+, vsrx-12.1+

DNS: Unassigned Opcode

This signature detects DNS requests that use an unassigned opcode. No RFC currently has a use defined for these opcodes, therefore, their use is anomalous. Many Trojan BotNets use a pseudo-DNS format for command and control, which can trigger this signature

References

URL: http://tools.ietf.org/html/rfc5395#section-2.2
URL: http://www.emergingthreatspro.com/bot-of-the-day/kazy-part-deux-revenge-of-the-clear-plastic-tarp/

Signature Detail

Short Name

Severity

Recommended

Recommended Action

Category

Keywords

Release Date

Update Number

Supported Platforms

DNS: Unassigned Opcode

References