Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
1048 Views 4 Replies Latest reply: Sep 9, 2013 11:06 AM by jstemp RSS
engrsam Newcomer 1 posts since
Jul 26, 2013
Currently Being Moderated

Jul 26, 2013 3:56 PM

question

Does anyone know what could cauese this alert  "DNS: many answers Response detected" in NSM?

 

Message was edited by: engrsam on 7/26/13 3:56:36 PM CDT
  • nachink2k Newcomer 1 posts since
    Jul 29, 2013
    Currently Being Moderated
    1. Jul 29, 2013 9:17 AM (in response to engrsam)
    Re: question

    I'm kind of curious myself too.  I have been receiving numerous alerts for this attack starting 7/26.  I am assuming it has to do something with the latest signature set that was released.

  • gfergus1 McAfee SME 125 posts since
    Nov 4, 2009
    Currently Being Moderated
    2. Jul 29, 2013 10:29 AM (in response to engrsam)
    Re: question

    This is a new signature that was added in the 7.6.14.9 signature set on 7/25.

     

    It is looking for large DNS response packets to alert against a potential XSS vulnerability in the web interface of Tipping Point.

    The attack is a low severity with auto acknowledgement on by default due to the potential for false positive.

    If you do not have a Tipping Point device the signature can be disabled.

  • dt1 Newcomer 12 posts since
    Apr 17, 2013
    Currently Being Moderated
    3. Aug 1, 2013 12:48 PM (in response to gfergus1)
    Re: question


    shouldn't the alert name or description then in some form state this is a targeted attack against a TP web interface?  at no place within the attack description is this listed, only a reference URL to fortiguard.  the vauge attack name and description suggest a DOS condition against DNS.  nothing relating to XSS.  just seems lacking to me.

  • jstemp Newcomer 1 posts since
    Feb 13, 2012
    Currently Being Moderated
    4. Sep 9, 2013 11:06 AM (in response to dt1)
    Re: question

    I agree with this.  I also find that the Fortiguard link is broken for me.  There should certainly be something in the description that informs customers that this only affects TippingPoint products.

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points