Suricata alert re: suspicious UDP traffic ? What should I do?

Hello all,

I recently received the following alert from my home Suricata IDS.

It has captured a suspicious UDP packet/flow targeting one of the devices on my home network, with the IP, which is the phone of my son.

The source IP is within my ISP’s netblocks. It is a node in the Facebook content delivery network hosted within my ISP infrastructure (domain name ending in

For clarity there is no rule to authorise UDP raffic to come into that network, except for multicast traffic which is filtered and only authorised from and to certain IP addresses which does not include I am not too sure how this UDP traffic made it into my network but I am assuming that the firewall let “related” UDP traffic in so the initial request came from inside (otherwise I would have a serious problem).

Would someone be able explain to me the alert below and let me know if I should be worried or not? Anything I can do to block that ?

Thank you for your inputs.

  "alert.action": "allowed",
  "alert.category": "Attempted Administrator Privilege Gain",
  "alert.gid": 1,
  "alert.rev": 1,
  "alert.severity": 1,
  "alert.signature": "TGI HUNT PowerShell Execution String Base64 Encoded New-Object (V3LU9)",
  "alert.signature_id": 2610498,
  "app_proto": "failed",
  "dest_ip": "",
  "dest_port": 43409,
  "event_type": "alert",
  "flow_id": 2186265005434351,
  "flow.bytes_toclient": 43903003,
  "flow.bytes_toserver": 70065,
  "flow.pkts_toclient": 34883,
  "flow.pkts_toserver": 581,
  "flow.start": "2023-05-30T06:35:20.173551+0200",
  "proto": "UDP",
  "src_ip": "",
  "src_port": 443,
  "timestamp": 1685421482405

Nothing to worry about in this alert as it is a false positive, the traffic was initiated from your home network (notice the destination port) towards facebook and the alert was generated on the content of the response packets (thats why you see your local ip in the destination).

The source port is 443/UDP which probably means quic protocol in play, the protocol is encrypted with tls and the rule that caused the alert dose not account for that, hence it alerted on encrypted content as if it was malicious.

Thanks A LOT for your explanation, it’s all very clear.

:+1: :+1: :+1: