This is a new signature that was added in the 18.104.22.168 signature set on 7/25.
It is looking for large DNS response packets to alert against a potential XSS vulnerability in the web interface of Tipping Point.
The attack is a low severity with auto acknowledgement on by default due to the potential for false positive.
If you do not have a Tipping Point device the signature can be disabled.
shouldn't the alert name or description then in some form state this is a targeted attack against a TP web interface? at no place within the attack description is this listed, only a reference URL to fortiguard. the vauge attack name and description suggest a DOS condition against DNS. nothing relating to XSS. just seems lacking to me.
I agree with this. I also find that the Fortiguard link is broken for me. There should certainly be something in the description that informs customers that this only affects TippingPoint products.