Snort alerts



  • I'm opening a new topic, because I didn't see that there is one about snort alerts in general.
    If the topic does not belong here, I apologize.Here is an alert when starting Opera VPN on Android.
    I'm interested how to check whether it is a false positive or not




  • The destination IP address in your screenshot belongs to a company called SurfEasy, which appears to provide VPN services. If this is a company that Opera has contracted to to provide the Opera VPN service, then it sounds like it's legit, if you know that the computer doesn't have any malware on it.

    You can verify who an IP address/block is registered to through the various Regional Internet Registry sites (www.arin.net, www.ripe.net, www.apnic.net, www.afrinic.net, www.lacnic.net). If you check one RIR and the IP address is under a different RIR's purview, the info presented should point to the RIR you should check (i.e. if you check ARIN but the IP address falls under RIPE, the info that ARIN presents will point you to RIPE).

    edit: added LACNIC to RIR list



  • I assumed that this warning was a false positive, since I checked IP and found that it's belong to Surfeasy which are the ones who are behind the opera VPN
    But still catches the eye when this warning pops up in snort alerts.I don't know what is the reason then why this alert appears?I was doing fresh  (backup/restore) install on that phone with android and it doesn't have nothing like bloatware or crapware apps on it.I was just testing Opera max & vpn from the official play store.


Log in to reply