Re: [security-onion] Misc Attack. Signature ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group

[Wes Lambert]

Is this question directly related to Security Onion?  It seems like you have quite a few settings/mentions of things here that are not related to usage of the platform.

On Wed, Sep 2, 2020 at 6:07 AM Haris - Scott <elge...@gmail.com> wrote:

Do the below security alert notifications indicate malicious intent from bad actors?

I recently took a leap into some prosumer equipment to get better security and protection for my network. I've attempted to self-educate, countless hours on youtube and reading various forums, I have looked at Suricata, but it's all a bit beyond me. Some say turn the security off! That goes against my intuition. I know I've got my security settings set high, but isn't that the point? I guess I'm getting some notifications that are just being hypersensitive but it worries me to have lower protection.

Some plain english for this NOOB would be great! Many thanks in advance.

SECURITY ALERT

Threat Management Alert 2: Misc Attack. Signature ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group:

190

195

305

398

581

585

591

598

612

645

680

741

773

From: XXX.XX.X.variousIPs:

110

443

1310

9001

9002

9993

To: XXX.XX.X.myIP:

49999

51211

51214

51219

51222

51229

51230

51277

57995

59555

59556

59558

59563

59564

59567

59586

59602

59609

59619

59624

59626

61317

63191

PROTOCOL

ALL are protocol: TCP

DEVICE

Ubiquiti Unifi Security Gateway USG

INTERNET SECURITY

Unifi Threat Management: ON

Intrusion Prevention System (IPS): ON

System Sensitivity Levels: Level 5

Virus & Malware - Botcc: ON

Virus & Malware - Malware: ON

Virus & Malware - Mobile Malware: ON

Virus & Malware - WORM: ON

P2P Protection - P2P: ON

P2P Protection - TOR: ON

Hacking Protection - Exploit: ON

Hacking Protection - Shellcode: ON

Internet Traffic Protection - DNS: ON

Internet Traffic Protection - User Agents: ON

Bad Reputation Protection - Dshield: ON

Bad Reputation Protection - Spamhaus: ON

Deep packet Inspection: ON

Restrict Access to Malicious IP Addresses: ON

Restrict Access to TOR: ON  

I know there is a clue here, but my concern is about the Misc Attacks. Should I be concerned about the Node Traffic Groups, FROM IP ports used and TO IP ports used?

Therefore, do these notifications indicate malicious intent from bad actors?

Thank you to those that can offer me some insight/understanding.

Cheers. Haris.

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/d8de4092-7811-424a-b635-a91b800e5cfen%40googlegroups.com.

--

https://twitter.com/therealwlambert

https://securityonion.net/

[Haris-Scott Elgeorah]

Oh! You might be right.

That highlights my lack of knowledge on the subject.

I did a search and this forum came up multiple times, so I figured it might be the place to pose my question.

If indeed my question is better suited elsewhere, I'm not sure where that is. Seems like I'm lost in the wilderness.

You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/6ezdlvUxu2g/unsubscribe.
To unsubscribe from this group and all its topics, send an email to security-onio...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/CAHjBB6F3Ga9v3HGmGV3zTyMNN2cCjuJ4VZPnXXG6ZiGaVi_rZQ%40mail.gmail.com.

[Wes Lambert]

You may do best posing your question to a more general forum, such a network security subreddit:

https://www.reddit.com/r/netsec/

or

https://www.reddit.com/r/netsecstudents/

Thanks,

Wes

To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/CACkN2Mcb8aHF2e3GnwYDTH%2BJURwS9H%3D9XfwozXYTjBpiOvBMZw%40mail.gmail.com.

[Haris - Scott]

Thanks for your help, I'll try there.

I guess I'll try deleting this from here now.

Cheers.