cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
315
Views
0
Helpful
2
Replies

Signature 6055 (DNS buffer overlflow) firing for NTP..Why?

mprescher
Level 1
Level 1

Seeing an AIP-SSM signature (DNS Inverse Query Buffer Overflow) firing when a switch configured for sync with internet NTP server, generates a high event. While the switch is sourcing the NTP request from port 53 DNS doesn't appear to be involved. Destination port is 123. I'm confident this can be tuned out but I'd like to know if the source port 53 (inverse DNS request?) is enough to fire this signature.

2 Replies 2

mhellman
Level 7
Level 7

That is strange. The engine on our sensor is "service DNS" and has settings for query opcodes, etc ...so supposedly it understands the DNS protocol pretty well. I'm not sure how it could interpret NTP as DNS.

It is odd that the switch is using a source port of 53 though. It really shouldn't do that.

That's what I thought...I won't be able to get a capture myself but I'll forward the info to those that might want to follow.

It seems to be either it's a problem with the way the switch (3560 running 12.2.25 s1) is formatting the request, or and this is probably more likely) the way the IPS 6.x AIM-SSM module is interpreting the traffic. I guess I can imagine ways the IPS would want to fire this signature when it sees a source 53, or think it sees a source 53, but it's hard for me to believe it really is sourced from port 53. Thanks.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: