Signature 6055 (DNS buffer overlflow) firing for NTP..Why?

Unanswered Question
Jun 6th, 2007
User Badges:

Seeing an AIP-SSM signature (DNS Inverse Query Buffer Overflow) firing when a switch configured for sync with internet NTP server, generates a high event. While the switch is sourcing the NTP request from port 53 DNS doesn't appear to be involved. Destination port is 123. I'm confident this can be tuned out but I'd like to know if the source port 53 (inverse DNS request?) is enough to fire this signature.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mhellman Wed, 06/06/2007 - 07:47
User Badges:
  • Blue, 1500 points or more

That is strange. The engine on our sensor is "service DNS" and has settings for query opcodes, etc ...so supposedly it understands the DNS protocol pretty well. I'm not sure how it could interpret NTP as DNS.


It is odd that the switch is using a source port of 53 though. It really shouldn't do that.

mprescher Wed, 06/06/2007 - 08:19
User Badges:

That's what I thought...I won't be able to get a capture myself but I'll forward the info to those that might want to follow.


It seems to be either it's a problem with the way the switch (3560 running 12.2.25 s1) is formatting the request, or and this is probably more likely) the way the IPS 6.x AIM-SSM module is interpreting the traffic. I guess I can imagine ways the IPS would want to fire this signature when it sees a source 53, or think it sees a source 53, but it's hard for me to believe it really is sourced from port 53. Thanks.

Actions

This Discussion