Strange Alert from IDS-ET P2P eMule KAD Network Connection Request
im getting this alert on my suricata device sniffing all traffic in and out of LAN to my Firewalla Gold. It says it originates from the Firewalla gold I.P address and its destination is 224.0.0.251:5353. It has no connections. Just an UDP stream. Im thinking this may be just a misidentified MDns message. Do you guys have any input? Doesn't the Firewalla Gold have a MDns reflector?
-
NVM. I already solved this. I just went and pulled the pcaps and examined it in wireshark. its for sure MDNS. So just an FYI, If you are running suricata or snort it may trigger an alert for "ET P2P eMule KAD Network Connection Request" if your firewalla generates any MDNS messages.
-
"tcpdump and wireshark can be installed on the red/blue/gold/purple if you want. "
I have Gold. Problem is 1) just want to trace alerts or create a rule to trace. 2) ideally save a zip on device, external storage connected to device or send to server (preferably asynchronously to avoid process spikes) . Bottom line is when I see an alert with an "upload", or even blocked traffic, just knowing that it happened or the IP address is meaningless and very tedious to lookup on "who is".
I expect that running on all wan / lan traffic would generate large files and costly resources.
It's almost worse to know there may be suspicious activity but not have a way to see what is in the payload with wireshark or better something like network miner which requires fewer network skills to just see if files/passwords/etc are being uploaded.
I'm thrilled with the near 1G performance of Firewalla Gold and would rather not slow it down when it is smart enough to spot suspicious activity.
A lifetime ago I was a networking engineer but now I'm reborn into a newbie so forgive me if this already exists:)
Please sign in to leave a comment.
Comments
5 comments