Hi, I recently updated our sites MX appliances to the latest version ( MX 16.15) and since then, theres been a barrage of alerts from the IDS named "CA BrightStor stack buffer overflow attempt". I've investigated the snort rule that seems to relate to an old backup solution that we've never used and is no longer supported anyway. The alerts source is our SCCM CAS with the target the primary SCCM servers at each remote site. As far as i can tell, the running of the sccm system is uninpeded even though these connection attempts are blocked. The more i look into it, the more it seems like a false positive. I'm thinking it could be RPC being mislabelled as a vulnerability. I've got a few open vague questions- is anyone with the similar setup are seeing these alerts? What practices do you recommend for potential false positives like this? E.g. would you allow them or leave IDS to block regadless? How far would you go to investigate? Is there any literature regarding snort rules, merakis IDS systems to read? Thanks in advance!
... View more