• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Snort alerts

IDS/IPS
3
6
157
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • D
    digitaldave
    last edited by Apr 7, 2025, 12:35 AM

    New to snort. Noticed something interesting in Alerts. Why would a Ring device be connecting to an ip that ends in cloudfront.net on port 80?

    T 1 Reply Last reply Apr 7, 2025, 1:53 PM Reply Quote 0
    • T
      tinfoilmatt @digitaldave
      last edited by Apr 7, 2025, 1:53 PM

      @digitaldave CloudFront is Amazon's CDN (sort of like what Azure is to Microsoft or Google Cloud is to Google). So your Ring device is presumably connecting to Amazon/Ring infrastructure.

      1 Reply Last reply Reply Quote 0
      • D
        digitaldave
        last edited by digitaldave 29 days ago 29 days ago

        I got another alert: source: whatsapp-chatd-edge-shv-02-mia3.facebook.com; destination: internal wifi device. How can this happen with all ports closed on WAN? Someone is using Whatsapp? Should I block it?

        T G 2 Replies Last reply 29 days ago Reply Quote 0
        • T
          tinfoilmatt @digitaldave
          last edited by 29 days ago

          @digitaldave Sounds like an alert on reply traffic (i.e., one of your LAN clients initiated a connection to that server).

          Just curious, is your Snort instance running on your LAN or WAN interface? It's preferable to run it on LAN interface/s since, as you note, it will 'detect' a lot of noise that's otherwise blocked by the firewall anyway.

          D 1 Reply Last reply 29 days ago Reply Quote 0
          • G
            Gertjan @digitaldave
            last edited by Gertjan 29 days ago 29 days ago

            @digitaldave said in Snort alerts:

            I got another alert: source: whatsapp-chatd-edge-shv-02-mia3.facebook.com; destination: internal wifi device. How can this happen with all ports closed on WAN? Someone is using Whatsapp? Should I block it?

            On WAN, no incoming traffic is allowed. That's normal. The traffic that snort found didn't enter your WAN.
            It wasn't facebook (== whatsapp) that tries to connect to some device on your LAN. It was a device on your own network contacting Facebook / whatssapp.

            Most probably a Whatssapp app on some wifi device that uses Whatsapp, and snort told you that it has detected that traffic. Normally, no big deal.

            edit @tinfoil replied way faster ^^

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            1 Reply Last reply Reply Quote 0
            • D
              digitaldave @tinfoilmatt
              last edited by 29 days ago

              @tinfoilmatt Snort is running on the LAN interface.

              1 Reply Last reply Reply Quote 0
              2 out of 6
              • First post
                2/6
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.