Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Surricata alerts NULL ip address

    Scheduled Pinned Locked Moved
    IDS/IPS
    2
    5
    281
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      Euman
      last edited by Euman

      issue with ip address on pf+ 23.09 / suricata-7.0.2_4

      the surricata alerted w/ ip 184.105.2417.215 - 3rd octet 2417 ?

      11/18/2023-04:49:14.334150 [Drop] [] [1:9999999:2] NO SERVER TCP [] [Classification: Detection of a Network Scan] [Priority: 3] {TCP} 184.105.2417.215:52388 -> 111.111.111.111:443

      very strange occurrence.

      bmeeksB 1 Reply Last reply Reply Quote 0
      • E
        Euman
        last edited by

        I've never put much trust in hurricane electric 184.105.2417.215
        and, I have never seen anything like this before.

        1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks @Euman
          last edited by bmeeks

          @Euman said in Surricata alerts NULL ip address:

          issue with ip address on pf+ 23.09 / suricata-7.0.2_4

          the surricata alerted w/ ip 184.105.2417.215 - 3rd octet 2417 ?

          11/18/2023-04:49:14.334150 [Drop] [] [1:9999999:2] NO SERVER TCP [] [Classification: Detection of a Network Scan] [Priority: 3] {TCP} 184.105.2417.215:52388 -> 111.111.111.111:443

          very strange occurrence.

          There are two confusing and sort of contradictory things in this post. Help me understand:

          Version 7.0.2_4 is an invalid GUI package version. The current version is 7.0.2_1 for the GUI. Now 7.0.2_4 is the current associated binary. Are you referring to the binary version?

          The 7.0.2_4 binary was not deployed for Plus 23.09 users until sometime overnight Wednesday, November 22nd. That version could not have logged the November 18 alert as it was no yet deployed.

          So, what version of Suricata were you running when that November 18 alert happened? I agree the third octet is completely invalid, but trying to determine what Suricata version logged it.

          E 1 Reply Last reply Reply Quote 0
          • E
            Euman @bmeeks
            last edited by Euman

            @bmeeks Hi friend, .

            I looked closer at this versioning:

            suricata security 7.0.2_1 High Performance Network IDS, IPS and Security Monitoring engine by OISF.

            Package Dependencies: suricata-7.0.2_4 
            https://freshports.org/security/suricata

            I copied the pkg dependencies version

            7.0.2 would have been the version that left the offending line.

            bmeeksB 1 Reply Last reply Reply Quote 0
            • bmeeksB
              bmeeks @Euman
              last edited by

              @Euman said in Surricata alerts NULL ip address:

              @bmeeks Hi friend, .

              I looked closer at this versioning:

              suricata security 7.0.2_1 High Performance Network IDS, IPS and Security Monitoring engine by OISF.

              Package Dependencies: suricata-7.0.2_4 
              https://freshports.org/security/suricata

              I copied the pkg dependencies version

              7.0.2 would have been the version that left the offending line.

              Thanks. If you have not seen any other instances, it may have just been some type of corruption in the file. That log is a text file processed by PHP code in the GUI to parse out the various fields. One of the fields apparently parse out incorrectly for some reason.

              For now I think it can be safely ignored. If it happens again, post back to this thread and I'll investigate further.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post