Anyone know what the following alert means? SURICATA HTTP Request unrecognized authorization method

code4food23 · Aug 28, 2021, 9:32 PM

The destination IP is an IPv6 address that resolves to
g2600-1307-bc00-018f0000-0000-26e7.deploy.static.akamaitechnologies.com

Does anyone know the nature behind this alert?

The source IPv6 address isnt in my NDP table. So I'm unsure which device triggered. Is there to find this out? From my understanding devices also use temporary IPv6 addresses, so could this be the reason?

EveningStarNM · Sep 2, 2021, 3:34 AM

@code4food23 This alert is generated when "Basic" or some unrecognized authentication method is specified in the header. I see this a lot with Verizon devices when they try to call home to mamma (Verizon) or papa (i.e., Apple) . I've read a lot of comments from people who consider it to be a false positive, and I've suppressed that rule because it annoys me. But tbh, I'd like an option to suppress only /reporting/ of a block or alert for certain rules and not the block or alert itself, but requests like that may be why some developers hate my guts.

code4food23 · Sep 2, 2021, 3:34 AM

@eveningstarnm Thanks a lot for your feedback!