IDS Alert View

[msmarcapo]

Hey Guys,
we got an understanding problem in the alert view.
We enabled IDS on all our Interfaces. And set all internal Networks as Home networks.

In the Alertview are for example entrys like:

Code: [Select]

2023-02-07T09:34:25.605081+0100 2008064 blocked 2.16.186.27 80 192.168.17.21 50532 ET DELETED Nginx Server with no version string - Often Hostile Traffi
or

Code: [Select]

2023-02-07T09:33:21.699912+0100 2027390 blocked 192.168.28.2 49791 104.108.184.217 80 ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent
How are these entrys to interpret?

For the first line. The IP "2.16.186.27" is the source. How can it be reach our internal "192.168.17.21" IP Address on port 80.
That can never happen. This IP is internal and cant be accessed from external. What should us these line say?

For the secound line. The IP "192.168.28.2" trying to reach "104.108.184.217" on Port 80. That make sense for us.


Further Question:
Why is the Interface row empty on 50% of the alerts?

[Fright]

Hi

The IP "2.16.186.27" is the source. How can it be reach our internal "192.168.17.21" IP Address on port 80

traffic from server (2.16.186.27   80) to client (192.168.17.21   50532) contains Server header with missing nginx version.

Why is the Interface row empty on 50% of the alerts?

traffic originated by firewall host? (like dns queries)

[msmarcapo]

Why is the Interface row empty on 50% of the alerts?

traffic originated by firewall host? (like dns queries)

Tanks for your answer!
Other examples below. No Traffic isnt from the FW itself. That internal IP are an other Host.

Code: [Select]

2023-02-08T08:37:47.488728+0100 2000428 blocked 209.197.3.8 80 192.168.28.2 54650 ET POLICY ZIP file download
2023-02-08T08:37:43.633795+0100 2000428 blocked 178.79.242.0 80 192.168.28.2 54648 ET POLICY ZIP file download

traffic from server (2.16.186.27   80) to client (192.168.17.21   50532) contains Server header with missing nginx version.

Didnt get it. Other example:

Code: [Select]

2023-02-08T08:24:23.581517+0100 2028371 blocked 192.168.28.2 54610 52.48.126.58 443 ET JA3 Hash - Possible Malware - Fake Firefox Font Update
2023-02-08T08:24:23.581517+0100 2028371 blocked 192.168.28.2 54610 52.48.126.58 443 ET JA3 Hash - Possible Malware - Fake Firefox Font Update
2023-02-08T08:24:16.373773+0100 2000428 blocked 178.79.242.128 80 192.168.28.2 54608 ET POLICY ZIP file download
2023-02-08T08:24:16.373773+0100 2000428 blocked 178.79.242.128 80 192.168.28.2 54608 ET POLICY ZIP file download
The internal IP isnt reachable from public.
To clarify:
The first 2 lines show the request from the internal Server via port 54610 to external Server on port 80.
The last 2 lines show an awnser from external server via port 80 to the internal vm on port 54608. So that is the return channel an thats why source/dest column are switched?

[Fright]

No Traffic isnt from the FW itself.

well, the more technically correct answer would be: a packet arrives at an interface with a name that cannot be resolved into a friendly interface name. but maybe it can't be converted because the code was not updated when the suricata template was updated a few years ago )
I'll try to make a pr. thanks for noticing

So that is the return channel an thats why source/dest column are switched?

yes. rules specify the direction of traffic

[msmarcapo]

No Traffic isnt from the FW itself.

well, the more technically correct answer would be: a packet arrives at an interface with a name that cannot be resolved into a friendly interface name. but maybe it can't be converted because the code was not updated when the suricata template was updated a few years ago )
I'll try to make a pr. thanks for noticing

So that is the return channel an thats why source/dest column are switched?

yes. rules specify the direction of traffic

Okay, thanks for your confirmation.