rule 57878 and awsdns

Has anyone come up with a solution or has it been identified as a false positive?

Has anyone come up with a solution or has it been identified as a false positive?

Seeing this here also, DNS request in question are for "www.limango.de" and "rpe.dymatrix.cloud". I also guess that these are false alarms, but would like to see a confirmation and of course a bugfix so that these false alarms stop.

Hi Robert and welcome to the UTM Community!

I'm not seeing this at any of my clients here in the US.  Can you show us a picture of the notification you received?

Cheers - Bob

Thanks Bob!

Here's the entire alert:

​Intrusion Prevention Alert

An intrusion has been detected. The packet has *not* been dropped.
If you want to block packets like this one in the future,
set the corresponding intrusion protection rule to "drop" in WebAdmin.
Be careful not to block legitimate traffic caused by false alerts though.

Details about the intrusion alert:

Message........: PROTOCOL-DNS Microsoft Threat Management Gateway heap buffer overflow attempt
Details........: https://www.snort.org/search?query=57878
Time...........: 2021-08-26 14:38:14
Packet dropped.: no
Priority.......: high
Classification.: Attempted User Privilege Gain
IP protocol....: 17 (UDP)

Source IP address: 8.8.8.8 (dns.google)
Source port: 53 (domain)
Destination IP address: 192.168.250.10
Destination port: 61652

--
System Uptime      : 34 days 0 hours 14 minutes
System Load        : 0.07
System Version     : Sophos UTM 9.705-3

Please refer to the manual for detailed instructions.

I don't think this is caused by anything in the UTM - probably an issue somewhere between Google and you.  I've seen anti-UDP and anti-ICMP flooding activity for response packets from Google DNS, and more so in the last 7 weeks.

Cheers - Bob

but not only with google dns-server. If the sophos uses cleanbrowsing as dns-forwarder, same will be logged every day since weeks:

"57878: PROTOCOL-DNS Microsoft Threat Management Gateway heap buffer overflow attempt"