Show Posts
1
Intrusion Detection and Prevention / IDS questions
« on: June 24, 2018, 11:49:39 am »
Hi 
I am in a home environment with: modem/router >>>> Opnsense >>>>> Switch >>>>>> clients.
When I read the IDS/IPS Alerts the OPNSense ip of 192.168.1.228 assigned by the modem/router shows in all the alerts and not which client is actually generating the traffic. E.g.
---------
blocked wan 2.21.75.42 80 192.168.1.228 9089 ET EXPLOIT Possible Android Stagefright MP4 (CVE 2016-3861) Set
allowed wan 192.168.1.228 38749 2.21.75.42 80 SURICATA STREAM excessive retransmissions
---------
Is there a way to see which client is generating this traffic? or I have set things up wrong?
I am in a home environment with: modem/router >>>> Opnsense >>>>> Switch >>>>>> clients.
When I read the IDS/IPS Alerts the OPNSense ip of 192.168.1.228 assigned by the modem/router shows in all the alerts and not which client is actually generating the traffic. E.g.
---------
blocked wan 2.21.75.42 80 192.168.1.228 9089 ET EXPLOIT Possible Android Stagefright MP4 (CVE 2016-3861) Set
allowed wan 192.168.1.228 38749 2.21.75.42 80 SURICATA STREAM excessive retransmissions
---------
Is there a way to see which client is generating this traffic? or I have set things up wrong?