4 Replies Latest reply: Sep 9, 2013 11:06 AM by jstemp RSS



      Does anyone know what could cauese this alert  "DNS: many answers Response detected" in NSM?


      Message was edited by: engrsam on 7/26/13 3:56:36 PM CDT
        • 1. Re: question

          I'm kind of curious myself too.  I have been receiving numerous alerts for this attack starting 7/26.  I am assuming it has to do something with the latest signature set that was released.

          • 2. Re: question

            This is a new signature that was added in the signature set on 7/25.


            It is looking for large DNS response packets to alert against a potential XSS vulnerability in the web interface of Tipping Point.

            The attack is a low severity with auto acknowledgement on by default due to the potential for false positive.

            If you do not have a Tipping Point device the signature can be disabled.

            • 3. Re: question

              shouldn't the alert name or description then in some form state this is a targeted attack against a TP web interface?  at no place within the attack description is this listed, only a reference URL to fortiguard.  the vauge attack name and description suggest a DOS condition against DNS.  nothing relating to XSS.  just seems lacking to me.

              • 4. Re: question

                I agree with this.  I also find that the Fortiguard link is broken for me.  There should certainly be something in the description that informs customers that this only affects TippingPoint products.