Hi,
I recently updated our sites MX appliances to the latest version (MX 16.15) and since then, theres been a barrage of alerts from the IDS named "CA BrightStor stack buffer overflow attempt". I've investigated the snort rule that seems to relate to an old backup solution that we've never used and is no longer supported anyway. The alerts source is our SCCM CAS with the target the primary SCCM servers at each remote site. As far as i can tell, the running of the sccm system is uninpeded even though these connection attempts are blocked. The more i look into it, the more it seems like a false positive. I'm thinking it could be RPC being mislabelled as a vulnerability. I've got a few open vague questions-
is anyone with the similar setup are seeing these alerts?
What practices do you recommend for potential false positives like this? E.g. would you allow them or leave IDS to block regadless? How far would you go to investigate?
Is there any literature regarding snort rules, merakis IDS systems to read?
Thanks in advance!
Same alerts here, but ours are going from our clients to our print server. We will be opening a ticket with Meraki to address.
Hi Chptrk,
Nice to know we're not alone! Can you let me know if you get any further in diagnosing it than i have?
Thanks
Likewise. After the MX 16.16 version, "CA BrightStor stack buffer overflow attempt" is the justification for print server traffic getting blocked. As IT Security, this curdles my soul. Why is the traffic being blocked? Why can't I inspect the packet? Why the snort classification? I can't just whitelist the rule without understanding. Woe is me.
I am also seeing traffic going to a print server getting flagged for this and being blocked. Was there any update to what might be causing this?
Of course not. The Meraki solution was to whitelist, as this was determined to be a false positive.