Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SNORT ET Alerts

    Scheduled Pinned Locked Moved IDS/IPS
    4 Posts 2 Posters 558 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      powerextreme
      last edited by

      Hello,

      I just got SNORT set up and running and monitoring. I have two synologys in two separate networks. The the local synology is backing up to the remote synology.
      I have been getting this alert:

      Screen Shot 2020-10-01 at 6.35.04 PM.png

      This is using their proprietary backup apps. Should I be concerned? How do I verify if this is malicious or not?

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by bmeeks

        Probably not malicious, but you would need to capture the traffic and analyze it against the actual threat to be 100% sure.

        Administering an IDS is an adventure in learning something new every single day!

        My suspicion is the backup traffic just happened to randomly match some byte pattern that rule is looking for, and thus it triggered.

        1 Reply Last reply Reply Quote 0
        • P
          powerextreme
          last edited by

          can I set up snort to just capture when this rule is triggered? Or will it do it for all rules?

          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @powerextreme
            last edited by

            @powerextreme said in SNORT ET Alerts:

            can I set up snort to just capture when this rule is triggered? Or will it do it for all rules?

            No, the PCAP capture option is not rule specific. It would be for all rules. The easiest thing might be to just kick off the backup job on the Synology again and capture the traffic on the LAN interface (or whatever interface it is traversing) directly on pfSense using the network caputure feature under DIAGNOSTICS on the menu.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.