Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
Suricata alert. Hacking tentative of my home server?
« previous
next »
Print
Pages: [
1
]
Author
Topic: Suricata alert. Hacking tentative of my home server? (Read 808 times)
greentin
Newbie
Posts: 2
Karma: 0
Suricata alert. Hacking tentative of my home server?
«
on:
May 03, 2024, 10:25:27 am »
Hi folks,
I've re-enabled suricata lately. I tought it was not working because I had zero alert. Since I changed the engine to Aho-Corasick it seems to work.
I had this alert yesterday and I'm not sure how to interpret it:
2024-05-02T11:02:16.131626+0200 2403316 allowed lan 31.220.73.3 13197 192.168.1.xxx 51413 ET CINS Active Threat Intelligence Poor Reputation IP group 17
I understand that the IP 31.220.73.3 is establishing a connection to one of my internal IP. After some research it seems that it's the IP of my internal Ubuntu VM running my docker service.
The port 51413 was used by my transmission app running on docker. Do you think it can be a try to hack my server?
Thanks for your help.
Logged
Stinky-Packets
Newbie
Posts: 3
Karma: 0
Re: Suricata alert. Hacking tentative of my home server?
«
Reply #1 on:
May 08, 2024, 09:49:08 pm »
I'm a noob - but I think I can help.
( If not, my possibly wrong answer, will probably annoy someone that's not a noob, enough to fix my reply! )
Since it's been altered on LAN - it's been allowed through the firewall already.
Since you didn't mention any other alerts, it (the remote IP) was probably not hacking it's way through to your LAN. Assuming you have alerts setup for those attempts.
That tells me you, you've invited this connection.
Since this IP that was altered on was connecting to your torrent VM - that seems like a possible match for "Low Reputation" alert. Torrents, torrent traffic and the IPs that use them, tend to have "low" reputations in the security world.
It seem given all the above - that an IP connected to your Transmission app in order to peer a torrent from you. At lease that seems the most likely situation to me. Do you have connection history in that app? Do you see that IP address in that history? Are they connected now?
They could be a sneaky hacker... but I'd think your server/firewall/etc. logs would show more.
Do you have Fail-to-Ban installed?
Is the VM all alone on it's own VLAN, with just that service running - since it's open to the internet directly?
Logged
Marinoz
Full Member
Posts: 116
Karma: 0
Re: Suricata alert. Hacking tentative of my home server?
«
Reply #2 on:
May 08, 2024, 10:10:29 pm »
Except if he is nat'ed
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
Suricata alert. Hacking tentative of my home server?