Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Frequent IDS alerts - What do they exactly mean?

    Firewalling
    3
    8
    570
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      toddehb
      last edited by

      Hi,

      I am forwarding logs to Wazuh and there this is shown during the day:

      2023-11-18T02:58:17+01:00 192.168.1.1 snort[70003]: [1:2013504:3] ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 192.168.99.100:17120 -> 146.75.118.132:80

      192.168.99.100 is WAN address. DSTIPs are different for each log entry. Some are from the US, some from Germany, where i reside.

      What do those notification mean resp. why related to package management?

      cheers, toddehb

      NogBadTheBadN johnpozJ 2 Replies Last reply Reply Quote 1
      • NogBadTheBadN
        NogBadTheBad @toddehb
        last edited by

        @toddehb You have a Linux box on your network that is checking for updates.

        Andy

        1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

        T 1 Reply Last reply Reply Quote 0
        • T
          toddehb @NogBadTheBad
          last edited by

          @NogBadTheBad

          Thanks. Not that I doubt you, but what are the exact indicators for that? Just want to understand.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @toddehb
            last edited by johnpoz

            @toddehb said in Frequent IDS alerts - What do they exactly mean?:

            APT User-Agent Outbound likely related to package management

            APT is linux update application

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.03 | Lab VMs 2.7.2, 24.03

            T 1 Reply Last reply Reply Quote 0
            • T
              toddehb @johnpoz
              last edited by

              @johnpoz

              Great. Overlooked that. Thanks

              johnpozJ 1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator @toddehb
                last edited by johnpoz

                @toddehb BTW running an IPS is not really for the faint of heart is not a click it oh now protected. It takes a lot of work to tweak the rules so that your not flooded with false positives and just your normal network traffic triggering rules that really shouldn't be enabled on your network in the first place.

                Also running on the wan side interface normally not a good idea - for example wouldn't this alert been more useful if it would of told you which IP on your network sent the traffic.

                I would highly suggest this post

                https://forum.netgate.com/topic/55095/quick-snort-setup-instructions-for-new-users

                1. In the drop-down, choose the interface. The LAN interface is a good first choice for two reasons. First, out of the box pfSense is going to block all unsolicited inbound traffic, so putting Snort out ahead of the firewall (on the WAN, for example) will result in it triggering on a lot of normal Internet "noise" that the firewall is going to drop anyway. Second, when you put Snort on the WAN it will only see outbound traffic after NAT rules are applied. Thus all local hosts sending traffic to the Internet will show up as having the WAN's public IP address due to typical NAT rules. That makes identifying a compromised local host very difficult. Running Snort on the LAN solves this problem.

                This is by the maintainer of the IPS packages for pfsense - if it has to do with IPS/IDS this would be the guy that has the answers ;)

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.03 | Lab VMs 2.7.2, 24.03

                T 1 Reply Last reply Reply Quote 0
                • T
                  toddehb @johnpoz
                  last edited by

                  @johnpoz

                  Of course, knowing the sender would be nice. In my case WAN is not directly connected to the internet. There are reasons why SNORT is enabled on WAN and LAN also.

                  johnpozJ 1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator @toddehb
                    last edited by

                    @toddehb if its enabled on lan as well, then why wouldn't the rule have triggered on the lan showing you which IP sent the traffic?

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.03 | Lab VMs 2.7.2, 24.03

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post