Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Attempted User Privilege Gain in Suricata logs

    Scheduled Pinned Locked Moved IDS/IPS
    9 Posts 3 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      code4food23
      last edited by code4food23

      Can someone please explain what this means?

      The source is my iPhone to some AWS server. I do not have discord or Microsoft teams installed like I have seen in other posts.

      The closest thing I can think of is the Zoom, Ring, Whatsapp, and maybe FB Messenger apps.

      Screen Shot 2021-08-20 at 4.18.47 PM.png

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by bmeeks

        I don't think I would sweat this alert. The Emerging Info rules are really designed more to "inform" the admin about traffic rather than necessarily identify malicious traffic.

        A lot of chatter about this particular rule here: https://community.synology.com/enu/forum/12/post/144181. Seems it is a rule that frequently triggers falsely.

        C 1 Reply Last reply Reply Quote 1
        • C
          code4food23 @bmeeks
          last edited by

          @bmeeks Thanks a lot for the response and reference to that post.
          I confirmed that it happens when I use the go live feature on my Ring app because it sprayed my logs with multiple alerts.

          What would be the harm of disabling this rule?

          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @code4food23
            last edited by

            @code4food23 said in Attempted User Privilege Gain in Suricata logs:

            @bmeeks Thanks a lot for the response and reference to that post.
            I confirmed that it happens when I use the go live feature on my Ring app because it sprayed my logs with multiple alerts.

            What would be the harm of disabling this rule?

            No harm to disable, or you could opt to suppress it for certain IP addresses. But if your device that triggers the rule has a dynamic IP, then disabling might be the better option.

            C 1 Reply Last reply Reply Quote 1
            • S
              SteveITS Galactic Empire
              last edited by

              I've seen video conferencing software generate the STUN alert. Don't recall which but I think it was more than one.

              Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
              When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
              Upvote 👍 helpful posts!

              C 1 Reply Last reply Reply Quote 1
              • C
                code4food23 @bmeeks
                last edited by

                @bmeeks Thanks I think I'll suppress it for that IP for the moment. Just need to make the IP static.

                1 Reply Last reply Reply Quote 0
                • C
                  code4food23 @SteveITS
                  last edited by

                  @steveits Gotcha so it's definitely something to do with VoIP it seems. The alert didnt generate from my ring app until after I started a live stream. Just strange how Zoom doesn't trigger the same alert.

                  That said, in your experience has the rule been disabled?

                  S 1 Reply Last reply Reply Quote 0
                  • S
                    SteveITS Galactic Empire @code4food23
                    last edited by

                    @code4food23 I think we did disable the rule, at least for the service being used. Zoom may not use STUN, I don't know.

                    Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                    When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                    Upvote 👍 helpful posts!

                    C 1 Reply Last reply Reply Quote 1
                    • C
                      code4food23 @SteveITS
                      last edited by

                      @steveits Thank you!

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.