Seeing an AIP-SSM signature (DNS Inverse Query Buffer Overflow) firing when a switch configured for sync with internet NTP server, generates a high event. While the switch is sourcing the NTP request from port 53 DNS doesn't appear to be involved. Destination port is 123. I'm confident this can be tuned out but I'd like to know if the source port 53 (inverse DNS request?) is enough to fire this signature.