Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Signature 6055 (DNS buffer overlflow) firing for NTP..Why?

Seeing an AIP-SSM signature (DNS Inverse Query Buffer Overflow) firing when a switch configured for sync with internet NTP server, generates a high event. While the switch is sourcing the NTP request from port 53 DNS doesn't appear to be involved. Destination port is 123. I'm confident this can be tuned out but I'd like to know if the source port 53 (inverse DNS request?) is enough to fire this signature.


Re: Signature 6055 (DNS buffer overlflow) firing for NTP..Why?

That is strange. The engine on our sensor is "service DNS" and has settings for query opcodes, etc supposedly it understands the DNS protocol pretty well. I'm not sure how it could interpret NTP as DNS.

It is odd that the switch is using a source port of 53 though. It really shouldn't do that.

Community Member

Re: Signature 6055 (DNS buffer overlflow) firing for NTP..Why?

That's what I thought...I won't be able to get a capture myself but I'll forward the info to those that might want to follow.

It seems to be either it's a problem with the way the switch (3560 running 12.2.25 s1) is formatting the request, or and this is probably more likely) the way the IPS 6.x AIM-SSM module is interpreting the traffic. I guess I can imagine ways the IPS would want to fire this signature when it sees a source 53, or think it sees a source 53, but it's hard for me to believe it really is sourced from port 53. Thanks.

CreatePlease to create content