Trying to determine of an message is just a normal operation or concern

Michael-Sangre
Here to help

Trying to determine of an message is just a normal operation or concern

We are getting one alert with regularity and one not so much.

 

PROTOCOL-DNS glibc getaddrinfo A record stack buffer overflow attempt - 2 incidents in a 24 hour period

and

INDICATOR-COMPROMISE suspicious .null dns query - 3 incidents in a 24 hour period.

 

The Protocol-DNS is infrequent and points to one of the domain controllers using Comcast DNS servers as forwarders.

 

The Indicator-compromise is some Andriod device. 

 

I am trying to track these down.

 

What I am trying to understand is are these normal or not.

 

 

2 Replies 2
Gjzawada
Conversationalist

The volume of alerts within that timeframe isn't too exceptional, but still bears review.

 

The first one is a little bit more high level than the second.  The PROTOCOL-DNS alert was first discovered a few years back, and is tagged as CVE-2015-7547.  Not specifically a major threat, but there was a known vulnerability found a few years ago that affected quite a number of Cisco devices.  More information on that can be found here: https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20160218-glibc.html.

The second, INDICATOR-COMPROMISE, depends a little more if you happen to have a PCAP of traffic from that device.  It could be nothing, could be indicator of something else, but if you can pull a full packet capture on it, that should give you a little more info of where it lies. In the meanwhile doesn't hurt to isolate that Android client until you get a closer look at it.

 

Sidenote, but the above could depend on the tier you have your IDS/IPS settings at.  Balanced is typically my SOP on deployment, I've found Security to trigger a number of false positives. 

 

Depending on any other issues on the network and how long its been since the last review, I always suggest to people to get a security audit completed, either through a VAR or a smaller firm. 

Michael-Sangre
Here to help

Thank you for your insight.  I will track down and follow your advice and see what we can do.

 

Thank you

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels