DNS Request führen immer zu Intrusion Prevention Alert

Hallo Marc,

(Sorry, my German-speaking brain isn't creating thoughts at the moment. )

If a recent pattern update didn't resolve this, please copy here the relevant lines from the Intrusion Prevention log.

MfG - Bob (Bitte auf Deutsch weiterhin.)

Hi Bob,

das ist das was im Log steht, ziemlich genau das was ich auch oben schon geschrieben habe, die Destination IPs sind immer der lokalen DNS Server:

2022:02:11-02:26:01 mail-1 snort[1573]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="PROTOCOL-DNS Microsoft Threat Management Gateway heap buffer overflow attempt" group="241" srcip="9.9.9.9" dstip="www.xxx.yyy.zzz" proto="17" srcport="53" dstport="60692" sid="57878" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
2022:02:11-02:26:01 mail-1 snort[1573]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="PROTOCOL-DNS Microsoft Threat Management Gateway heap buffer overflow attempt" group="241" srcip="9.9.9.9" dstip="www.xxx.yyy.zzz" proto="17" srcport="53" dstport="58120" sid="57878" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
2022:02:11-04:01:22 mail-1 snort[1573]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="PROTOCOL-DNS Microsoft Threat Management Gateway heap buffer overflow attempt" group="241" srcip="9.9.9.9" dstip="www.xxx.yyy.zzz" proto="17" srcport="53" dstport="61304" sid="57878" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"

Gibt auch mit den Google-DNS Servern als Auslösern:

2022:02:11-12:43:39 mail-1 snort[1573]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="PROTOCOL-DNS Microsoft Threat Management Gateway heap buffer overflow attempt" group="241" srcip="8.8.4.4" dstip="www.xxx.yyy.zzz" proto="17" srcport="53" dstport="61239" sid="57878" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"

2022:02:11-12:44:13 mail-1 snort[1573]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="PROTOCOL-DNS Microsoft Threat Management Gateway heap buffer overflow attempt" group="241" srcip="8.8.4.4" dstip="www.xxx.yyy.zzz" proto="17" srcport="53" dstport="62376" sid="57878" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"

Hi Marc,

There was a problem with some name servers, but using Google resolved that.  If you're still having this problem, I would open a case with Sophos Support.

MfG - Bob (Bitte auf Deutsch weiterhin.)

Ich habe den DNS von Quad an erster Stelle und Google erst an 2. und 3. ... ich habe das mal geändert und Quad an die dritte Stelle geschoben. Ich werde mal beobachten ob das etwas ändert. Ich bin allerdings der Meinung auch die Google-IPs schon in den Meldungen gesehen zu haben, naja mal abwarten.

Also das ändern auf Google als ersten DNS hilft kein bischen...

Intrusion Prevention Alert

An intrusion has been detected. The packet has *not* been dropped.
If you want to block packets like this one in the future,
set the corresponding intrusion protection rule to "drop" in WebAdmin.
Be careful not to block legitimate traffic caused by false alerts though.

Details about the intrusion alert:

Message........: PROTOCOL-DNS Microsoft Threat Management Gateway heap buffer overflow attempt
Details........: https://www.snort.org/search?query=57878
Time...........: 2022-03-15 08:58:03
Packet dropped.: no
Priority.......: high
Classification.: Attempted User Privilege Gain
IP protocol....: 17 (UDP)

Source IP address: 8.8.8.8 (dns.google)
Source port: 53 (domain)
Destination IP address: xx.xx.xx.xx (yyyyy.zzzz.local)
Destination port: 63401
        
--- SG210-UTM9 ---

Werde dann wohl ein Ticket eröffnen müssen..