Meraki

Community

IDS Alerts - CA BrightStor stack buffer overflow attempt

ABR1988
Here to help
‎Jan 6 2022 5:42 AM
‎Jan 6 2022 5:42 AM

IDS Alerts - CA BrightStor stack buffer overflow attempt

Hi,

 

I recently updated our sites MX appliances to the latest version (MX 16.15) and since then, theres been a barrage of alerts from the IDS named "CA BrightStor stack buffer overflow attempt". I've investigated the snort rule that seems to relate to an old backup solution that we've never used and is no longer supported anyway. The alerts source is our SCCM CAS with the target the primary SCCM servers at each remote site. As far as i can tell, the running of the sccm system is uninpeded even though these connection attempts are blocked. The more i look into it, the more it seems like a false positive. I'm thinking it could be RPC being mislabelled as a vulnerability. I've got a few open vague questions-

 

is anyone with the similar setup are seeing these alerts?

What practices do you recommend for potential false positives like this? E.g. would you allow them or leave IDS to block regadless? How far would you go to investigate?

Is there any literature regarding snort rules, merakis IDS systems to read?

 

Thanks in advance!

Labels:
5 Replies 5
chptrk
New here
‎Apr 9 2022 8:03 AM
‎Apr 9 2022 8:03 AM

Same alerts here, but ours are going from our clients to our print server. We will be opening a ticket with Meraki to address. 

ABR1988
Here to help
‎Apr 11 2022 12:54 AM
‎Apr 11 2022 12:54 AM

Hi Chptrk,

 

Nice to know we're not alone! Can you let me know if you get any further in diagnosing it than i have?

 

Thanks

Cake
Conversationalist
‎Apr 20 2022 2:01 PM
‎Apr 20 2022 2:01 PM

Likewise. After the MX 16.16 version, "CA BrightStor stack buffer overflow attempt" is the justification for print server traffic getting blocked. As IT Security, this curdles my soul. Why is the traffic being blocked? Why can't I inspect the packet? Why the snort classification? I can't just whitelist the rule without understanding. Woe is me.

txhomer
Here to help
‎Jul 20 2022 8:10 AM
‎Jul 20 2022 8:10 AM

I am also seeing traffic going to a print server getting flagged for this and being blocked.  Was there any update to what might be causing this?

0 Kudos
In response to txhomer
Cake
Conversationalist
‎Jul 20 2022 8:19 AM
‎Jul 20 2022 8:19 AM

Of course not. The Meraki solution was to whitelist, as this was determined to be a false positive.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.