Posts

Showing posts from October, 2024

What Are Normal Users Supposed to Do with IDS Alerts from Network Gear?

Image
Probably once a week, I see posts like this in the r/Ubiquiti subreddit. Ubiquiti makes network gear that includes an "IDS/IPS" feature. I own some older Ubiquiti gear so I am familiar with the product. When you enable this feature, you get alerts like this one, posted by a Redditor: This is everything you get from Ubiquiti.   The Redditor is concerned that their system may be trying to compromise someone on the Internet. This is my answer to how to handle these alerts.   == This is another example of this sort of alert being almost worthless for most users. The key is trying to understand what COULD have caused the alert to trigger. CVEs, whatever, are irrelevant at this point. Here is one way to get SOME idea of what is happening. Go to https://rules.emergingthreats.net/open/suricata-7.0.3/rules/ Download the file that is named as the first part of the alert. Here that is EXPLOIT. https://rules.emergingthreats.net/open/suricata-7.0.3/rules/emerging-exploit.rules Find the r...