Hello all,
I recently received the following alert from my home Suricata IDS.
It has captured a suspicious UDP packet/flow targeting one of the devices on my home network, with the IP 192.168.1.60, which is the phone of my son.
The source IP is within my ISP’s netblocks. It is a node in the Facebook content delivery network hosted within my ISP infrastructure (domain name ending in fna.fbcdn.net).
For clarity there is no rule to authorise UDP raffic to come into that network, except for multicast traffic which is filtered and only authorised from and to certain IP addresses which does not include 192.168.1.60. I am not too sure how this UDP traffic made it into my network but I am assuming that the firewall let “related” UDP traffic in so the initial request came from inside (otherwise I would have a serious problem).
Would someone be able explain to me the alert below and let me know if I should be worried or not? Anything I can do to block that ?
Thank you for your inputs.
{
"alert.action": "allowed",
"alert.category": "Attempted Administrator Privilege Gain",
"alert.gid": 1,
"alert.rev": 1,
"alert.severity": 1,
"alert.signature": "TGI HUNT PowerShell Execution String Base64 Encoded New-Object (V3LU9)",
"alert.signature_id": 2610498,
"app_proto": "failed",
"dest_ip": "192.168.1.60",
"dest_port": 43409,
"event_type": "alert",
"flow_id": 2186265005434351,
"flow.bytes_toclient": 43903003,
"flow.bytes_toserver": 70065,
"flow.pkts_toclient": 34883,
"flow.pkts_toserver": 581,
"flow.start": "2023-05-30T06:35:20.173551+0200",
"proto": "UDP",
"src_ip": "xxx.xxx.133.96",
"src_port": 443,
"timestamp": 1685421482405
}
