PROTOCOL-DNS -- Snort alerted on a Domain Name Server (DNS) protocol issue. These packets travel over UDP on port 53 to serve DNS queries--user website requests through a browser. Several vulnerability use-cases exist (ie, additional data could be sent with a request, which would contact a DNS server pre-prepared to send information back and forth).
PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt
The NSPLookupServiceNext function in the client in Microsoft Forefront Threat Management Gateway (TMG) 2010 allows remote attackers to execute arbitrary code via vectors involving unspecified requests, aka "TMG Firewall Client Memory Corruption Vulnerability." Impact: CVSS base score 10.0 CVSS impact score 10.0 CVSS exploitability score 10.0 confidentialityImpact COMPLETE integrityImpact COMPLETE availabilityImpact COMPLETE Details: Ease of Attack:
This alert is generated when overly long hostname requests are found
Public information/Proof of Concept available
Known false positives, with the described conditions
This vulnerability only affects Microsoft Forefront Threat Management Gateway and thus DNS hostnames that are long, but not necessarily malicious may alert on this rule because they would crash the TMG but not other products. If you are not running the version of the software that is vulnerable you can disable this rule.
Talos research team.
No rule groups
CVE-2011-1889 |
Loading description
|
Tactic: Initial Access
Technique: Exploit Public-Facing Application
For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org