Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 4 subscribers
  • Views 1585 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNS Request führen immer zu Intrusion Prevention Alert

MarcK

Hi,

aus einem nicht ganz klaren Grund führen DNS Request zu Intrusion Prevention Alerts. 

Immer der Art

[CRIT-850] Intrusion Prevention Alert

 

Intrusion Prevention Alert

 

An intrusion has been detected. The packet has *not* been dropped.

If you want to block packets like this one in the future,

set the corresponding intrusion protection rule to "drop" in WebAdmin.

Be careful not to block legitimate traffic caused by false alerts though.

 

Details about the intrusion alert:

 

Message........: PROTOCOL-DNS Microsoft Threat Management Gateway heap buffer overflow attempt

Details........: https://www.snort.org/search?query=57878

Time...........: 2022-01-24 12:36:35

Packet dropped.: no

Priority.......: high

Classification.: Attempted User Privilege Gain

IP protocol....: 17 (UDP)

 

Source IP address: 8.8.8.8 (dns.google)

Source port: 53 (domain)

Destination IP address: xxx.xxx.xxx.xxx (xxx.yyy.zzz)

Destination port: 59541

       

--- SG210-UTM9 @ BR ---

 

--

HA Status          : HA MASTER (node id: 1)

System Uptime      : 103 days 4 hours 29 minutes

System Load        : 0.53

System Version     : Sophos UTM 9.707-5

 

Please refer to the manual for detailed instructions.

Destination IP ist immer einer der internen DNS Server des AD.

Es ist etwas weniger wenn ich die internen DNS Server die Weiterleitung direkt machen lasse, es ist deutlich mehr, wenn die Weiterleitung über die UTM als Zwischenschritt geht.

Ich verstehe auch nicht, warum die Pakete nicht gedroppt werden, in den Intrusion Prevention Einstellungen ist alles auf verwerfen eingestellt.

Woran liegt dieses Verhalten?

 



This thread was automatically locked due to age.
Parents
  • 0

    Hallo Marc,

    (Sorry, my German-speaking brain isn't creating thoughts at the moment. Frowning2)

    If a recent pattern update didn't resolve this, please copy here the relevant lines from the Intrusion Prevention log.

    MfG - Bob (Bitte auf Deutsch weiterhin.)

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    das ist das was im Log steht, ziemlich genau das was ich auch oben schon geschrieben habe, die Destination IPs sind immer der lokalen DNS Server:

    2022:02:11-02:26:01 mail-1 snort[1573]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="PROTOCOL-DNS Microsoft Threat Management Gateway heap buffer overflow attempt" group="241" srcip="9.9.9.9" dstip="www.xxx.yyy.zzz" proto="17" srcport="53" dstport="60692" sid="57878" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
    2022:02:11-02:26:01 mail-1 snort[1573]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="PROTOCOL-DNS Microsoft Threat Management Gateway heap buffer overflow attempt" group="241" srcip="9.9.9.9" dstip="www.xxx.yyy.zzz" proto="17" srcport="53" dstport="58120" sid="57878" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
    2022:02:11-04:01:22 mail-1 snort[1573]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="PROTOCOL-DNS Microsoft Threat Management Gateway heap buffer overflow attempt" group="241" srcip="9.9.9.9" dstip="www.xxx.yyy.zzz" proto="17" srcport="53" dstport="61304" sid="57878" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"

    

    

    
				                    
    
                
    Grüße aus dem Sauerland und dem Ruhrgebiet
    

    Marc
    
            
    
        	
    

		
		
		
		
	
    
	
    
		
    
			
		
    
	
    
	
    
		
						
				
				
				
				
				
		
		
    
			
		
    
	
    

    

    • 

	

  • 
	
    



	
		
	
	



    
	
    
		
    
							
					
    
		
    
			
													0
							
			
				
									
							
						
				
			
												
						in reply to MarcK
					
									
    
	
    

		
		
    
					
    Gibt auch mit den Google-DNS Servern als Auslösern:
    

    2022:02:11-12:43:39 mail-1 snort[1573]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="PROTOCOL-DNS Microsoft Threat Management Gateway heap buffer overflow attempt" group="241" srcip="8.8.4.4" dstip="www.xxx.yyy.zzz" proto="17" srcport="53" dstport="61239" sid="57878" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
    
2022:02:11-12:44:13 mail-1 snort[1573]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="PROTOCOL-DNS Microsoft Threat Management Gateway heap buffer overflow attempt" group="241" srcip="8.8.4.4" dstip="www.xxx.yyy.zzz" proto="17" srcport="53" dstport="62376" sid="57878" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"

    

    
				                    
    
                
    Grüße aus dem Sauerland und dem Ruhrgebiet
    

    Marc
    
            
    
        	
    

		
		
		
		
	
    
	
    
		
    
			
		
    
	
    
	
    
		
						
				
				
				
				
				
		
		
    
			
		
    
	
    

    

    • 

	

  • 
	
    



	
		
	
	



    
	
    
		
    
							
					
    
		
    
			
													0
							
			
				
									
							
						
				
			
												
						in reply to MarcK
					
									
    
	
    

		
		
    
					
    Hi Marc,
    

    There was a problem with some name servers, but using Google resolved that.  If you're still having this problem, I would open a case with Sophos Support.
    

    MfG - Bob (Bitte auf Deutsch weiterhin.)
    
				                    
    
                
     
    

    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    

    MediaSoft, Inc. USA
    
            
    
        	
    

		
		
		
		
	
    
	
    
		
    
			
		
    
	
    
	
    
		
						
				
				
				
				
				
		
		
    
			
		
    
	
    

    

    • 

	




Reply

    


  • 
	
    



	
		
	
	



    
	
    
		
    
							
					
    
		
    
			
													0
							
			
				
									
							
						
				
			
												
						in reply to MarcK
					
									
    
	
    

		
		
    
					
    Hi Marc,
    

    There was a problem with some name servers, but using Google resolved that.  If you're still having this problem, I would open a case with Sophos Support.
    

    MfG - Bob (Bitte auf Deutsch weiterhin.)
    
				                    
    
                
     
    

    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    

    MediaSoft, Inc. USA
    
            
    
        	
    

		
		
		
		
	
    
	
    
		
    
			
		
    
	
    
	
    
		
						
				
				
				
				
				
		
		
    
			
		
    
	
    

    

    • 





Children
	
    
	

  • 
	
    



	
		
	
	



    
	
    
		
    
							
					
    
		
    
			
													0
							
			
				
									
							
						
				
			
												
						in reply to BAlfson
					
									
    
	
    

		
		
    
					
    Ich habe den DNS von Quad an erster Stelle und Google erst an 2. und 3. ... ich habe das mal geändert und Quad an die dritte Stelle geschoben. Ich werde mal beobachten ob das etwas ändert. Ich bin allerdings der Meinung auch die Google-IPs schon in den Meldungen gesehen zu haben, naja mal abwarten.
    
				                    
    
                
    Grüße aus dem Sauerland und dem Ruhrgebiet
    

    Marc
    
            
    
        	
    

		
		
		
		
	
    
	
    
		
    
			
		
    
	
    
	
    
		
						
				
				
				
				
				
		
		
    
			
		
    
	
    

    

    • 

	

  • 
	
    



	
		
	
	



    
	
    
		
    
							
					
    
		
    
			
													0
							
			
				
									
							
						
				
			
												
						in reply to MarcK
					
									
    
	
    

		
		
    
					
    Also das ändern auf Google als ersten DNS hilft kein bischen...
    

    Intrusion Prevention Alert

An intrusion has been detected. The packet has *not* been dropped.
If you want to block packets like this one in the future,
set the corresponding intrusion protection rule to "drop" in WebAdmin.
Be careful not to block legitimate traffic caused by false alerts though.

Details about the intrusion alert:

Message........: PROTOCOL-DNS Microsoft Threat Management Gateway heap buffer overflow attempt
Details........: https://www.snort.org/search?query=57878
Time...........: 2022-03-15 08:58:03
Packet dropped.: no
Priority.......: high
Classification.: Attempted User Privilege Gain
IP protocol....: 17 (UDP)

Source IP address: 8.8.8.8 (dns.google)
Source port: 53 (domain)
Destination IP address: xx.xx.xx.xx (yyyyy.zzzz.local)
Destination port: 63401
        
--- SG210-UTM9 ---
    

    

    Werde dann wohl ein Ticket eröffnen müssen..
    
				                    
    
                
    Grüße aus dem Sauerland und dem Ruhrgebiet
    

    Marc
    
            
    
        	
    

		
		
		
		
	
    
	
    
		
    
			
		
    
	
    
	
    
		
						
				
				
				
				
				
		
		
    
			
		
    
	
    

    

    • 

	


		
			





















































			











Unfiltered HTML