Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Ntp.org and ip 95.211.224.12 (TOR)

    Scheduled Pinned Locked Moved IDS/IPS
    5 Posts 4 Posters 3.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cybersenser
      last edited by

      Hi All,

      So i have everything up and running, pfsense with snort. Everything works great!
      (in the process of going from 'conventional' iptables to pfsense.

      I was testing everything on a private network isolated from our office and installed snort.

      After putting the rules to work i got incoming traffic from 95.211.224.12 and got an alert description of
      ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 635 every 30 seconds or so.

      Is ntp.org using a tor relay router ? Or am i being paranoid ? After i turned of NTP the alerts disappeared. Of course it can be an innocent
      NTP update, but it got me scared a bit.

      Anyone else gets this or like i say am i paranoid ? I matched up the MD5 checksum on installing.

      Regards,
      Pat

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        Could be a false positive.  I have not seen that alert, but then I target only a few specific external NTP servers as sync partners.  Have you tried a Google search on that alert text?  There may be some info out there from other Emerging Threats users.

        Bill

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          Do you have your ntp in a pool?  You could have a client routing his traffic through tor and asking your pool member for an update.  Once you turned off ntp, pool would notice your down and your score would drop and you would no longer be listed in the pool.

          Clients would then stop asking you for ntp.

          Just tested and that IP is running ntp

          receive(95.211.224.12)
          server 95.211.224.12, port 123
          stratum 2, precision -23, leap 00, trust 000
          refid [95.211.224.12], delay 0.13458, dispersion 0.00037
          transmitted 4, in filter 4
          reference time:    da08918c.6f3d004a  Tue, Dec  1 2015 15:37:16.434
          originate timestamp: da089268.cd066679  Tue, Dec  1 2015 15:40:56.800
          transmit timestamp:  da089268.bf1e265c  Tue, Dec  1 2015 15:40:56.746
          filter delay:  0.13460  0.13757  0.13658  0.13458

          So it might be listed in the ntp pool as well and you were asking it for updates.

          Yup just checked and that IP is in the pool by trying to add it and got back that is already a member
          "95.211.224.12 is already listed in the pool. Email us your username to have it moved to this account"

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            If you're pointing to *.pool.ntp.org, that's just a pool of servers from anyone who wants to be included. It's likely some of those are also Tor relays, as they tend to be servers that provide public services. 95.211.224.12 is one of those. Nothing to be concerned about.

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              yup very common stuff..  You have to keep in mind when you turn on something like snort..  There is going to be lots and lots of noise ;)  you really have to tweak the rule sets to look for the stuff that is actual concern..  And then once you do that you might not see anything…

              Other than as a learning tool, I don't see much use for a ids in a home setup..  Unless you do manage to let one of your machines get infected pretty much all your going to see is noise..

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.