rule 57878 and awsdns

Am I the only one plagued by this. 500 alerts in a couple of hours over a 10 year old vulnerability.

rule now set to drop and notify off. It is not one awsdns server. It looks to be all of them.

Details about the intrusion alert:

Message........: PROTOCOL-DNS Microsoft Threat Management Gateway heap buffer overflow attempt
Details........: https://www.snort.org/search?query=57878
Time...........: 2021-07-17 11:47:19
Packet dropped.: no
Priority.......: high
Classification.: Attempted User Privilege Gain
IP protocol....: 17 (UDP)

Source IP address: 205.251.192.220 (ns-220.awsdns-27.com)

  • Same here but then with dns.google (8.8.8.8)

  • also here in our environment since last weekend:

    Blocked hosts are our public DNS-Resolver. If the IPS block the current DNS request, no dns resolving is possible for the client.

    IPS Log:

    snort[1141]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="PROTOCOL-DNS Microsoft Threat Management Gateway heap buffer overflow attempt" group="241" srcip="XpublicDNSServerIPX" dstip="ClientIP" proto="17" srcport="53" dstport="22184" sid="57878" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"

  • As a mod, I see the IP from which you posted.  It appears that there's a bad pattern in the update servers used by Nederland, UK and Deutschland.  Hopefully, one of you already has opened a case with Sophos Support.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • thanks for your feedback, yes im sure that it is a false-positive.

  • Has anyone come up with a solution or has it been identified as a false positive?

  • Seeing this here also, DNS request in question are for "www.limango.de" and "rpe.dymatrix.cloud". I also guess that these are false alarms, but would like to see a confirmation and of course a bugfix so that these false alarms stop.

  • Hi Robert and welcome to the UTM Community!

    I'm not seeing this at any of my clients here in the US.  Can you show us a picture of the notification you received?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks Bob!

    Here's the entire alert:

    Intrusion Prevention Alert

    An intrusion has been detected. The packet has *not* been dropped.
    If you want to block packets like this one in the future,
    set the corresponding intrusion protection rule to "drop" in WebAdmin.
    Be careful not to block legitimate traffic caused by false alerts though.

    Details about the intrusion alert:

    Message........: PROTOCOL-DNS Microsoft Threat Management Gateway heap buffer overflow attempt
    Details........: https://www.snort.org/search?query=57878
    Time...........: 2021-08-26 14:38:14
    Packet dropped.: no
    Priority.......: high
    Classification.: Attempted User Privilege Gain
    IP protocol....: 17 (UDP)

    Source IP address: 8.8.8.8 (dns.google)
    Source port: 53 (domain)
    Destination IP address: 192.168.250.10
    Destination port: 61652

    --
    System Uptime      : 34 days 0 hours 14 minutes
    System Load        : 0.07
    System Version     : Sophos UTM 9.705-3

    Please refer to the manual for detailed instructions.

  • I take it back - see my response to Robert.  I think this is just an issue that occurs occasionally when requesting name resolution from remote name servers.  No bad patterns at all.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • At least here it happens much more than occasionally: I see approx. 40-60 IPS warnings per day, referring to this rule ID, caused by only 2 workstations. You are right: not all DNS queries/replies trigger the IPS event, but most of them.

    As far as I can see from Google, "limando.de" and "rpe.dymatrix.cloud" do not sound dangerous. Therefor I guess these are false alarms. Or do I have any chance to check whether these alarms are indeed seriously?

    Given these alarms are false alarms, I consider this to be a bug within UTM firmware or patterns. And this should be solved, because we can not check all these alarms manually. The alarm notifications do not even provide the host name that has been queried, therefor we have to check DNS server logs or whatever to find out whether new alarms are for the already known "false hosts" or for new hosts which might indeed be worth checking. Or we ignore all these IPS alarms or we disable this rule, but both does not really make sense.