rule 57878 and awsdns

Am I the only one plagued by this. 500 alerts in a couple of hours over a 10 year old vulnerability.

rule now set to drop and notify off. It is not one awsdns server. It looks to be all of them.

Details about the intrusion alert:

Message........: PROTOCOL-DNS Microsoft Threat Management Gateway heap buffer overflow attempt
Details........: https://www.snort.org/search?query=57878
Time...........: 2021-07-17 11:47:19
Packet dropped.: no
Priority.......: high
Classification.: Attempted User Privilege Gain
IP protocol....: 17 (UDP)

Source IP address: 205.251.192.220 (ns-220.awsdns-27.com)

Parents
  • Has anyone come up with a solution or has it been identified as a false positive?

  • Hi Robert and welcome to the UTM Community!

    I'm not seeing this at any of my clients here in the US.  Can you show us a picture of the notification you received?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks Bob!

    Here's the entire alert:

    Intrusion Prevention Alert

    An intrusion has been detected. The packet has *not* been dropped.
    If you want to block packets like this one in the future,
    set the corresponding intrusion protection rule to "drop" in WebAdmin.
    Be careful not to block legitimate traffic caused by false alerts though.

    Details about the intrusion alert:

    Message........: PROTOCOL-DNS Microsoft Threat Management Gateway heap buffer overflow attempt
    Details........: https://www.snort.org/search?query=57878
    Time...........: 2021-08-26 14:38:14
    Packet dropped.: no
    Priority.......: high
    Classification.: Attempted User Privilege Gain
    IP protocol....: 17 (UDP)

    Source IP address: 8.8.8.8 (dns.google)
    Source port: 53 (domain)
    Destination IP address: 192.168.250.10
    Destination port: 61652

    --
    System Uptime      : 34 days 0 hours 14 minutes
    System Load        : 0.07
    System Version     : Sophos UTM 9.705-3

    Please refer to the manual for detailed instructions.

  • I don't think this is caused by anything in the UTM - probably an issue somewhere between Google and you.  I've seen anti-UDP and anti-ICMP flooding activity for response packets from Google DNS, and more so in the last 7 weeks.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • but not only with google dns-server. If the sophos uses cleanbrowsing as dns-forwarder, same will be logged every day since weeks:

    "57878: PROTOCOL-DNS Microsoft Threat Management Gateway heap buffer overflow attempt"

Reply
  • but not only with google dns-server. If the sophos uses cleanbrowsing as dns-forwarder, same will be logged every day since weeks:

    "57878: PROTOCOL-DNS Microsoft Threat Management Gateway heap buffer overflow attempt"

Children
No Data