IDS Alerts - CA BrightStor stack buffer overflow attempt

ABR1988
Here to help

IDS Alerts - CA BrightStor stack buffer overflow attempt

Hi,

 

I recently updated our sites MX appliances to the latest version (MX 16.15) and since then, theres been a barrage of alerts from the IDS named "CA BrightStor stack buffer overflow attempt". I've investigated the snort rule that seems to relate to an old backup solution that we've never used and is no longer supported anyway. The alerts source is our SCCM CAS with the target the primary SCCM servers at each remote site. As far as i can tell, the running of the sccm system is uninpeded even though these connection attempts are blocked. The more i look into it, the more it seems like a false positive. I'm thinking it could be RPC being mislabelled as a vulnerability. I've got a few open vague questions-

 

is anyone with the similar setup are seeing these alerts?

What practices do you recommend for potential false positives like this? E.g. would you allow them or leave IDS to block regadless? How far would you go to investigate?

Is there any literature regarding snort rules, merakis IDS systems to read?

 

Thanks in advance!

5 Replies 5
chptrk
New here

Same alerts here, but ours are going from our clients to our print server. We will be opening a ticket with Meraki to address. 

ABR1988
Here to help

Hi Chptrk,

 

Nice to know we're not alone! Can you let me know if you get any further in diagnosing it than i have?

 

Thanks

Cake
Conversationalist

Likewise. After the MX 16.16 version, "CA BrightStor stack buffer overflow attempt" is the justification for print server traffic getting blocked. As IT Security, this curdles my soul. Why is the traffic being blocked? Why can't I inspect the packet? Why the snort classification? I can't just whitelist the rule without understanding. Woe is me.

txhomer
Here to help

I am also seeing traffic going to a print server getting flagged for this and being blocked.  Was there any update to what might be causing this?

Cake
Conversationalist

Of course not. The Meraki solution was to whitelist, as this was determined to be a false positive.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels