Am I the only one plagued by this. 500 alerts in a couple of hours over a 10 year old vulnerability.
rule now set to drop and notify off. It is not one awsdns server. It looks to be all of them.
Details about the intrusion alert:Message........: PROTOCOL-DNS Microsoft Threat Management Gateway heap buffer overflow attemptDetails........: https://www.snort.org/search?query=57878Time...........: 2021-07-17 11:47:19Packet dropped.: noPriority.......: highClassification.: Attempted User Privilege GainIP protocol....: 17 (UDP)Source IP address: 220.127.116.11 (ns-220.awsdns-27.com)
Same here but then with dns.google (18.104.22.168)
also here in our environment since last weekend:
Blocked hosts are our public DNS-Resolver. If the IPS block the current DNS request, no dns resolving is possible for the client.
snort: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="PROTOCOL-DNS Microsoft Threat Management Gateway heap buffer overflow attempt" group="241" srcip="XpublicDNSServerIPX" dstip="ClientIP" proto="17" srcport="53" dstport="22184" sid="57878" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
As a mod, I see the IP from which you posted. It appears that there's a bad pattern in the update servers used by Nederland, UK and Deutschland. Hopefully, one of you already has opened a case with Sophos Support.
Cheers - Bob
thanks for your feedback, yes im sure that it is a false-positive.
Has anyone come up with a solution or has it been identified as a false positive?
Seeing this here also, DNS request in question are for "www.limango.de" and "rpe.dymatrix.cloud". I also guess that these are false alarms, but would like to see a confirmation and of course a bugfix so that these false alarms stop.
Hi Robert and welcome to the UTM Community!
I'm not seeing this at any of my clients here in the US. Can you show us a picture of the notification you received?
Here's the entire alert:Intrusion Prevention AlertAn intrusion has been detected. The packet has *not* been dropped.If you want to block packets like this one in the future,set the corresponding intrusion protection rule to "drop" in WebAdmin.Be careful not to block legitimate traffic caused by false alerts though.Details about the intrusion alert:Message........: PROTOCOL-DNS Microsoft Threat Management Gateway heap buffer overflow attemptDetails........: https://www.snort.org/search?query=57878Time...........: 2021-08-26 14:38:14Packet dropped.: noPriority.......: highClassification.: Attempted User Privilege GainIP protocol....: 17 (UDP)Source IP address: 22.214.171.124 (dns.google)Source port: 53 (domain)Destination IP address: 192.168.250.10Destination port: 61652--System Uptime : 34 days 0 hours 14 minutesSystem Load : 0.07System Version : Sophos UTM 9.705-3Please refer to the manual for detailed instructions.
I take it back - see my response to Robert. I think this is just an issue that occurs occasionally when requesting name resolution from remote name servers. No bad patterns at all.
At least here it happens much more than occasionally: I see approx. 40-60 IPS warnings per day, referring to this rule ID, caused by only 2 workstations. You are right: not all DNS queries/replies trigger the IPS event, but most of them.
As far as I can see from Google, "limando.de" and "rpe.dymatrix.cloud" do not sound dangerous. Therefor I guess these are false alarms. Or do I have any chance to check whether these alarms are indeed seriously?
Given these alarms are false alarms, I consider this to be a bug within UTM firmware or patterns. And this should be solved, because we can not check all these alarms manually. The alarm notifications do not even provide the host name that has been queried, therefor we have to check DNS server logs or whatever to find out whether new alarms are for the already known "false hosts" or for new hosts which might indeed be worth checking. Or we ignore all these IPS alarms or we disable this rule, but both does not really make sense.