Thread Info
  • Locked Locked
  • Replies 15 replies
  • Subscribers 9 subscribers
  • Views 4612 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

rule 57878 and awsdns

MotoMoto

Am I the only one plagued by this. 500 alerts in a couple of hours over a 10 year old vulnerability.

rule now set to drop and notify off. It is not one awsdns server. It looks to be all of them.

Details about the intrusion alert:

Message........: PROTOCOL-DNS Microsoft Threat Management Gateway heap buffer overflow attempt
Details........: https://www.snort.org/search?query=57878
Time...........: 2021-07-17 11:47:19
Packet dropped.: no
Priority.......: high
Classification.: Attempted User Privilege Gain
IP protocol....: 17 (UDP)

Source IP address: 205.251.192.220 (ns-220.awsdns-27.com)



This thread was automatically locked due to age.
Parents

  • also here in our environment since last weekend:

    Blocked hosts are our public DNS-Resolver. If the IPS block the current DNS request, no dns resolving is possible for the client.

    IPS Log:

    snort[1141]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="PROTOCOL-DNS Microsoft Threat Management Gateway heap buffer overflow attempt" group="241" srcip="XpublicDNSServerIPX" dstip="ClientIP" proto="17" srcport="53" dstport="22184" sid="57878" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"

Reply

  • also here in our environment since last weekend:

    Blocked hosts are our public DNS-Resolver. If the IPS block the current DNS request, no dns resolving is possible for the client.

    IPS Log:

    snort[1141]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="PROTOCOL-DNS Microsoft Threat Management Gateway heap buffer overflow attempt" group="241" srcip="XpublicDNSServerIPX" dstip="ClientIP" proto="17" srcport="53" dstport="22184" sid="57878" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"

Children
No Data
Unfiltered HTML