Ntp.org and ip 188.8.131.52 (TOR)
So i have everything up and running, pfsense with snort. Everything works great!
(in the process of going from 'conventional' iptables to pfsense.
I was testing everything on a private network isolated from our office and installed snort.
After putting the rules to work i got incoming traffic from 184.108.40.206 and got an alert description of
ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 635 every 30 seconds or so.
Is ntp.org using a tor relay router ? Or am i being paranoid ? After i turned of NTP the alerts disappeared. Of course it can be an innocent
NTP update, but it got me scared a bit.
Anyone else gets this or like i say am i paranoid ? I matched up the MD5 checksum on installing.
bmeeks last edited by
Could be a false positive. I have not seen that alert, but then I target only a few specific external NTP servers as sync partners. Have you tried a Google search on that alert text? There may be some info out there from other Emerging Threats users.
Do you have your ntp in a pool? You could have a client routing his traffic through tor and asking your pool member for an update. Once you turned off ntp, pool would notice your down and your score would drop and you would no longer be listed in the pool.
Clients would then stop asking you for ntp.
Just tested and that IP is running ntp
server 220.127.116.11, port 123
stratum 2, precision -23, leap 00, trust 000
refid [18.104.22.168], delay 0.13458, dispersion 0.00037
transmitted 4, in filter 4
reference time: da08918c.6f3d004a Tue, Dec 1 2015 15:37:16.434
originate timestamp: da089268.cd066679 Tue, Dec 1 2015 15:40:56.800
transmit timestamp: da089268.bf1e265c Tue, Dec 1 2015 15:40:56.746
filter delay: 0.13460 0.13757 0.13658 0.13458
So it might be listed in the ntp pool as well and you were asking it for updates.
Yup just checked and that IP is in the pool by trying to add it and got back that is already a member
"22.214.171.124 is already listed in the pool. Email us your username to have it moved to this account"
If you're pointing to *.pool.ntp.org, that's just a pool of servers from anyone who wants to be included. It's likely some of those are also Tor relays, as they tend to be servers that provide public services. 126.96.36.199 is one of those. Nothing to be concerned about.
yup very common stuff.. You have to keep in mind when you turn on something like snort.. There is going to be lots and lots of noise ;) you really have to tweak the rule sets to look for the stuff that is actual concern.. And then once you do that you might not see anything…
Other than as a learning tool, I don't see much use for a ids in a home setup.. Unless you do manage to let one of your machines get infected pretty much all your going to see is noise..