Attempted User Privilege Gain in Suricata logs
-
Can someone please explain what this means?
The source is my iPhone to some AWS server. I do not have discord or Microsoft teams installed like I have seen in other posts.
The closest thing I can think of is the Zoom, Ring, Whatsapp, and maybe FB Messenger apps.
-
I don't think I would sweat this alert. The Emerging Info rules are really designed more to "inform" the admin about traffic rather than necessarily identify malicious traffic.
A lot of chatter about this particular rule here: https://community.synology.com/enu/forum/12/post/144181. Seems it is a rule that frequently triggers falsely.
-
@bmeeks Thanks a lot for the response and reference to that post.
I confirmed that it happens when I use the go live feature on my Ring app because it sprayed my logs with multiple alerts.What would be the harm of disabling this rule?
-
@code4food23 said in Attempted User Privilege Gain in Suricata logs:
@bmeeks Thanks a lot for the response and reference to that post.
I confirmed that it happens when I use the go live feature on my Ring app because it sprayed my logs with multiple alerts.What would be the harm of disabling this rule?
No harm to disable, or you could opt to suppress it for certain IP addresses. But if your device that triggers the rule has a dynamic IP, then disabling might be the better option.
-
I've seen video conferencing software generate the STUN alert. Don't recall which but I think it was more than one.
-
@bmeeks Thanks I think I'll suppress it for that IP for the moment. Just need to make the IP static.
-
@steveits Gotcha so it's definitely something to do with VoIP it seems. The alert didnt generate from my ring app until after I started a live stream. Just strange how Zoom doesn't trigger the same alert.
That said, in your experience has the rule been disabled?
-
@code4food23 I think we did disable the rule, at least for the service being used. Zoom may not use STUN, I don't know.
-
@steveits Thank you!