Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    unifi devices generating snort alerts

    IDS/IPS
    2
    2
    65
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      efny last edited by

      I am rather puzzled. Starting last night I’ve had a large number of Snort Alerts coming from all of my unifi devices.

      SID 3-15450 MALWARE-OTHER Conficker C/D DNS traffic detected

      This is a rather old SID and I certainly don’t have any vulnerable devices (and unifi devices are linux-based, not Windows). Also, the alerts are triggered even in the absence of clients, and even by PDU-Pro when it’s the only thing connected to the network.

      I have reset the devices with recurrence of this.
      I also captured the packets associated with the alerts by unplugging all but one of the devices and eliminating any clients for clarity, and they just seem like unifi telemetry traffic.

      I was wondering if anyone has encountered anything like this and whether my network is in trouble. Thanks in advance.

      I have sanitized the packet capture if that's helpful...

      capturesanitized.png

      1 Reply Last reply Reply Quote 0
      • bmeeks
        bmeeks last edited by

        Highly likely this is a false positive. I believe this rule is simply looking for DNS destinations, and as Conficker is now so old and most (if not all) of the C&C sites are gone and likely replaced by legit hosts/traffic these days, the usefulness of the rule can be questioned.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post