Suricata alert. Hacking tentative of my home server?

[greentin]

Hi folks,

I've re-enabled suricata lately. I tought it was not working because I had zero alert. Since I changed the engine to Aho-Corasick it seems to work.

I had this alert yesterday and I'm not sure how to interpret it:

2024-05-02T11:02:16.131626+0200   2403316   allowed   lan   31.220.73.3   13197   192.168.1.xxx 51413   ET CINS Active Threat Intelligence Poor Reputation IP group 17

I understand that the IP 31.220.73.3 is establishing a connection to one of my internal IP. After some research it seems that it's the IP of my internal Ubuntu VM running my docker service.

The port 51413 was used by my transmission app running on docker. Do you think it can be a try to hack my server?

Thanks for your help.

[Stinky-Packets]

I'm a noob - but I think I can help.
( If not, my possibly wrong answer, will probably annoy someone that's not a noob, enough to fix my reply! )

Since it's been altered on LAN - it's been allowed through the firewall already.
Since you didn't mention any other alerts, it (the remote IP) was probably not hacking it's way through to your LAN. Assuming you have alerts setup for those attempts.
That tells me you, you've invited this connection.

Since this IP that was altered on was connecting to your torrent VM - that seems like a possible match for "Low Reputation" alert. Torrents, torrent traffic and the IPs that use them, tend to have "low" reputations in the security world.

It seem given all the above - that an IP connected to your Transmission app in order to peer a torrent from you. At lease that seems the most likely situation to me. Do you have connection history in that app? Do you see that IP address in that history? Are they connected now?
They could be a sneaky hacker... but I'd think your server/firewall/etc. logs would show more.
Do you have Fail-to-Ban installed?
Is the VM all alone on it's own VLAN, with just that service running - since it's open to the internet directly?

[Marinoz]

Except if he is nat'ed