Il 09/04/19 13:33, Nicolas Quiniou-Briand via PacketFence-users ha scritto:
Hello Enrico,
The P2P and "ET TOR" violations have been triggered for the same
device (10.25.1.1) ?
Dear Nicolas,
violations are made by the same host. My notebook that I used for a test.
*SURICATA TOR*
Apr 2 16:33:38 idssrv suricata[31336] {"timestamp":
"2019-04-02T16:33:38.845514+0200", "flow_id": 42148439405216,
"in_iface": "eth1", "event_type": "alert", "vlan": 25, "src_ip":
"167.114.158.148", "src_port": 443, "dest_ip": "10.25.1.1", "dest_port":
52569, "proto": "TCP", "metadata": {"flowbits": ["ET.TorIP"]}, "alert":
{"action": "allowed", "gid": 1, "signature_id": 2522362, "rev": 3636,
"signature": "ET TOR Known Tor Relay/Router (Not Exit) Node Traffic
group 182", "category": "Misc Attack", "severity": 2, "metadata":
{"updated_at": ["2019_03_18"], "created_at": ["2008_12_01"],
"signature_severity": ["Audit"], "tag": ["TOR"], "deployment":
["Perimeter"], "attack_target": ["Any"], "affected_product": ["Any"]}},
"flow": {"pkts_toserver": 1, "pkts_toclient": 1, "bytes_toserver": 78,
"bytes_toclient": 74, "start": "2019-04-02T16:33:38.733856+0200"}}
Apr 2 16:33:38 idssrv suricata[31336] [1:2522362:3636] ET TOR Known Tor
Relay/Router (Not Exit) Node Traffic group 182 [Classification: Misc
Attack] [Priority: 2] {TCP} 167.114.158.148:443 -> *10.25.1.1*:52569......
*SURICATA P2P (VUZE)*
Apr 2 16:35:23 idssrv suricata[31336] {"timestamp":
"2019-04-02T16:35:23.224591+0200", "flow_id": 1188464480185679,
"in_iface": "eth1", "event_type": "alert", "vlan": 25, "src_ip":
"10.25.1.1", "src_port": 30602, "dest_ip": "174.129.43.152",
"dest_port": 6881, "proto": "UDP", "alert": {"action": "allowed", "gid":
1, "signature_id": 2010140, "rev": 7, "signature": "ET P2P Vuze BT UDP
Connection", "category": "Potential Corporate Privacy Violation",
"severity": 1, "metadata": {"updated_at": ["2016_11_01"], "created_at":
["2010_07_30"]}}, "app_proto": "failed", "flow": {"pkts_toserver": 1,
"pkts_toclient": 0, "bytes_toserver": 93, "bytes_toclient": 0, "start":
"2019-04-02T16:35:23.224591+0200"}}
Apr 2 16:35:23 idssrv suricata[31336] [1:2010140:7] ET P2P Vuze BT UDP
Connection [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {UDP} *10.25.1.1*:30602 -> 174.129.43.152:6881
the only difference that I see is when my host (10.25.1.1) make Tor or
P2P where IP is destination or source. in traffic P2P is source and in
TOR is destination.
Thanks a lot
Best Regards
Enrico
--
_______________________________________________________________________
Enrico Becchetti Servizio di Calcolo e Reti
Istituto Nazionale di Fisica Nucleare - Sezione di Perugia
Via Pascoli,c/o Dipartimento di Fisica 06123 Perugia (ITALY)
Phone:+39 075 5852777 Mail: Enrico.Becchetti<at>pg.infn.it
_______________________________________________________________________
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
