What Are Normal Users Supposed to Do with IDS Alerts from Network Gear?
Probably once a week, I see posts like this in the r/Ubiquiti subreddit. Ubiquiti makes network gear that includes an "IDS/IPS" feature. I own some older Ubiquiti gear so I am familiar with the product.
When you enable this feature, you get alerts like this one, posted by a Redditor:
This is everything you get from Ubiquiti.
The Redditor is concerned that their system may be trying to compromise someone on the Internet.
This is my answer to how to handle these alerts.
==
This is another example of this sort of alert being almost worthless for most users.
The key is trying to understand what COULD have caused the alert to trigger. CVEs, whatever, are irrelevant at this point.
Here is one way to get SOME idea of what is happening.
Go to
https://rules.emergingthreats.net/open/suricata-7.0.3/rules/
Download the file that is named as the first part of the alert. Here that is EXPLOIT.
https://rules.emergingthreats.net/open/suricata-7.0.3/rules/emerging-exploit.rules
Find the rule that fired. This can take some digging. Here is what I ended up doing.
grep -i possible emerging-exploit.rules | grep -i log4j | grep -i obfuscation | grep -i udp | grep -i outbound
Here it is.
alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed M2 (udp) (Outbound) (CVE-2021-44228)"; content:"|24 7b|"; content:"|24 7b 3a 3a|"; within:100; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034805; rev:3; metadata:attack_target Server, created_at 2021_12_18, cve CVE_2021_44228, deployment Perimeter, deployment Internal, signature_severity Major, tag Exploit, updated_at 2023_06_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
You can ignore 90% of this. The key is here:
content:"|24 7b|"; content:"|24 7b 3a 3a|"; within:100
and here:
udp $HOME_NET any -> any any
Now, you have to guess how likely it might be there you could have ANY UDP traffic from your home network to anywhere, on any ports, that contain this string
24 7b
followed by this string
24 7b 3a 3a
within the next 100 bytes?
I'm guessing there's a decent chance that could happen in random, normal traffic.
Therefore, without any other evidence, I think you can ignore this alert.
If you want to have a better chance at understanding this in the future, please feel free to check out anything I've written about network security monitoring. Good luck!
==
This problem is why I have promoted network security monitoring since 1998 and subtitled my first book "Beyond Intrusion Detection." Network intrusion detection, by itself, with no supporting data and without even rule explanations, is almost worthless.
Thankfully in this case the vendor is at least using an open rule set, enabling this feeble exploration.
Comments