"
In case people come here for the weird UDP 161 SNMP issue:
TL;DR: You likely have a Windows machine on your network looking for printers. You can block this by set up a floating rule.
I noticed the same issue on my Suricata log.
On opnsense: `tcpdump -n port 161` also shows traffic from opnsense to WAN.
Then I tried what Patrick suggested: Try `tcpdump -i <your-lan-if> -n port 161`. I can see it come from my windows laptop.
To block this, I set up a floating rule [Firewall] -> [Rules] -> [Floating] add rule:
Action: Reject, Interface: <Lan>, Direction: in, Protocol: UDP, Destination Port Range: SNMP, Descript: Block leaking SNMP
After that Suricata is quieter
TL;DR: You likely have a Windows machine on your network looking for printers. You can block this by set up a floating rule.
I noticed the same issue on my Suricata log.
On opnsense: `tcpdump -n port 161` also shows traffic from opnsense to WAN.
Then I tried what Patrick suggested: Try `tcpdump -i <your-lan-if> -n port 161`. I can see it come from my windows laptop.
To block this, I set up a floating rule [Firewall] -> [Rules] -> [Floating] add rule:
Action: Reject, Interface: <Lan>, Direction: in, Protocol: UDP, Destination Port Range: SNMP, Descript: Block leaking SNMP
After that Suricata is quieter
