irmadladFeb 24

Network Security Audit

https://lemmy.world/post/43533409

Show threadnon_burglarFeb 25

Running suricata on your wan interface is just generating a ton of noise and will be really confusing for you if you haven’t reviewed packet inspection alerts before. Not a lot of value in it unless you have many users “phoning home”.

Just run it on the lan interface.

Show threadirmadlad
I’ve been told this before. I also acknowledge and appreciate your advice coming from a professional pov. However, here’s the thing…my OCD would never allow me not to know. It would drive me up the wall not knowing. I get what you are saying, and you are right. It is my kryptonite not to know. It is a curse I can tell you.
Feb 25 at 1:59amWeb
Show threadnon_burglarFeb 25

OK, well it’s not harming anything, so if you’re game to learn, by all means.

When you look at traffic on a public interface, besides learning what to filter out that is just normal (probes, crawls, etc from legit sources), but you also will run into badly-formed TCP traffic:

Martian packets: en.wikipedia.org/wiki/Martian_packet IP spoofing: en.wikipedia.org/wiki/IP_address_spoofing (I used to have a better resource for this,I’ll try to find it) How RPC works: pentest.co.uk/…/researching-remote-procedure-call…

That should help clarify a lot of what you’ll see in traffic on your segment.

You may also want to briefly read about how CDNs work, you’ll see a lot of akamai and cloudflare traffic too.

Martian packet - Wikipedia

Show threadirmadladFeb 25

That should help clarify a lot of what you’ll see in traffic on your segment.

Thank you for the links and guidance. I will definitely read those. Yeah I do see a lot of things like:

  • SURICATA STREAM FIN2 FIN with wrong seq (this is from local chatter)
  • ET INFO DNS Query for Suspicious .ml Domain (must check out this suspicious domain /s)
  • ET INFO Observed DNS Query to .world TLD (same as above)
  • SURICATA STREAM Packet with invalid timestamp (local chatter - common triggered event from what I understand)
  • SURICATA STREAM FIN invalid ack (known domain speedtest)

So, since I am working within the framework of my own personal shortcomings and have to know, I research them to find out why they get triggered. That way I don’t freak out over them A lot of them are benign and due to normal occurrences between server and user.