Suricata LAN alerts scr vs dst & false positives

  • So suricata keeps blowing up, and I'm unsure if this is 'normal behavior.' On the WAN side sure, but my LAN keeps issuing alerts.

    What should be a 'red flag' I guess.....Windows 10 software can do some unexpected things so all these false positives and stuff, I can't get a feel for what's "normal traffic". On Linux I hardly see so many alerts on my LAN.

    I attached a screen grab, any one got any tutorials on how to determine what's a false positive?

    The alerts in black originate from my LAN host, and the red alerts are blocks from external IPs to my LANip. This started happening after I installed several games and a couple game launchers.

    Any help or resources are appreciated.

    Thanks,LAN alerts.png

  • Installing games and game launchers, especially if from sources other than an official retail outlet, would give me pause. But then I am almost officially an "old fart" now and games don't interest me anymore ... ☺ .

    Back to your problem ---

    It's really hard to say if all of those are false positives. I will say that in general the ET Policy rule category is not terribly useful on a home network because it will generate alerts for lots of things that are perfectly normal for home networks. That ET Policy set is primarily aimed at the corporate IT world where things like Windows updates and other similar things are tightly controlled and usually distributed from in-house servers on the company network (think Microsoft's old SMS and later WSUS architecture). So these rules are designed to trigger on traffic that would indicate a user was downloading or installing some EXE file or DLL or ZIP file from the web instead of official company infrastructure.

    Well, in a home network that's exactly what Windows needs to do in order to get security updates -- download EXE and DLL files from the web. So the ET Policy rules are likely to false positive there. So the ET Policy rules in your alerts are most likely false positives. I would suggest you disable the rule set entirely in your configuration or else turn off several of those alerting rules.

    The other alerts from ET Shellcode might not be benign. The fact you mentioned you installed new games and game installers means some kind of adware or malware may have slipped in as well (unless you bought the games from a big-name retailer, but even that's not guaranteed safe). Definitely would be worried if I obtained the games from a torrent or other P2P method or purchased them at a substantial discount off retail from some web site.

    One thing to start with is to research all of the IP addresses in the alerts that are not your own. You can use web tools such as the ARIN IP Lookup to find the IP space owner and what country the IP is registered in. You can also search Google using the IP addresses as the search term to see if any negative reviews turn up.

    If the IP addresses in those Shellcode alerts are registered to the maker of your games, then I wouldn't panic as much as I would if I found the IP addresses instead were going to some "more often than not" hostile country known for malware.

Log in to reply