hello , i’m a new user of suricata
after setup emerging-exploit.rules i have invaded with ET EXPLOIT Possible CVE-2020-11899 Multicast out-of-bound read message alert
can you tell me where i need to look first? thankyou in advance
Hi,
It seems the alerts are populating from the screenshot.
You mean what do you need to do next?
Thank you
it’s a strange alert. i don’t use ipv6 (all disabled) inside and outside network.
where is come from?
IPv6 traffic is showing up on the network interface(s) from which Suricata is receiving packets.
my english is not the best…
i have a modem , then the firewall , then the switch of my network
i don’t use ipv6 on modem (setup is disabled for ipv6)
all my network devices are the ipv6 disabled
in firewall i disabled ipv6 on wan and lan
i still see this allert , if you see the address is not a logical ipv6 allert, i want to know what device of my network it is and i don’t know where begin
thank’you in advance
Those are link local IPv6 IPs, see https://en.wikipedia.org/wiki/Link-local_address#IPv6 for a bit more details. Link local needs to be disabled on the devices, so this might be the reason why you still see it. Especially with the Target ff02:cc I would count those alerts as false positive. This is normal link local traffic.
thank you for reply,
repeat, i disabled all ipv6 config from network at al last device in network include firewall
there is no ipv6 address on my net…
To validate you could run something like tcpdump -i <interface> ip6 and see if it shows you any IPv6 packets.
Another thing to consider is that sometimes IPv6 is in a tunnel, like with Teredo.