Snort alerts
-
New to snort. Noticed something interesting in Alerts. Why would a Ring device be connecting to an ip that ends in cloudfront.net on port 80?
-
@digitaldave CloudFront is Amazon's CDN (sort of like what Azure is to Microsoft or Google Cloud is to Google). So your Ring device is presumably connecting to Amazon/Ring infrastructure.
-
I got another alert: source: whatsapp-chatd-edge-shv-02-mia3.facebook.com; destination: internal wifi device. How can this happen with all ports closed on WAN? Someone is using Whatsapp? Should I block it?
-
@digitaldave Sounds like an alert on reply traffic (i.e., one of your LAN clients initiated a connection to that server).
Just curious, is your Snort instance running on your LAN or WAN interface? It's preferable to run it on LAN interface/s since, as you note, it will 'detect' a lot of noise that's otherwise blocked by the firewall anyway.
-
@digitaldave said in Snort alerts:
I got another alert: source: whatsapp-chatd-edge-shv-02-mia3.facebook.com; destination: internal wifi device. How can this happen with all ports closed on WAN? Someone is using Whatsapp? Should I block it?
On WAN, no incoming traffic is allowed. That's normal. The traffic that snort found didn't enter your WAN.
It wasn't facebook (== whatsapp) that tries to connect to some device on your LAN. It was a device on your own network contacting Facebook / whatssapp.Most probably a Whatssapp app on some wifi device that uses Whatsapp, and snort told you that it has detected that traffic. Normally, no big deal.
edit @tinfoil replied way faster ^^
-
@tinfoilmatt Snort is running on the LAN interface.