<div dir="ltr">Hi,<div><br></div><div>The Emerging Threats PRO ruleset [1] contains several sigs for detecting DNSCat tunneling.</div><div><br></div><div>[1] <a href="https://www.proofpoint.com/us/threat-insight/et-pro-ruleset">https://www.proofpoint.com/us/threat-insight/et-pro-ruleset</a></div><div><br></div><div>Best,</div><div><br></div><div>Jack</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Mar 12, 2018 at 12:05 AM, Blason R <span dir="ltr"><<a href="mailto:blason16@gmail.com" target="_blank">blason16@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi there,<div><br></div><div>Is anyone aware if any rule available to detect or block DNScat tool? Can someone please point me?</div></div>
<br>______________________________<wbr>_________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@<wbr>openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/<wbr>support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/<wbr>training/</a><br></blockquote></div><br></div>