Hello all!
I have the following entries in fast.log:
04/22/2024-08:56:33.601683 [**] [1:1000008:4] POSSBL SCAN NMAP TCP (type -sT) [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.16:50997 -> 192.168.1.109:8009
04/22/2024-08:56:49.845296 [**] [1:1000008:4] POSSBL SCAN NMAP TCP (type -sT) [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.16:51000 -> 192.168.1.109:8009
04/22/2024-08:59:00.645129 [**] [1:2260001:1] SURICATA Applayer Wrong direction first Data [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 2.16.88.20:443 -> 192.168.1.109:56415
04/22/2024-09:10:33.662463 [**] [1:1000008:4] POSSBL SCAN NMAP TCP (type -sT) [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.16:51048 -> 192.168.1.109:8009
04/22/2024-09:13:32.384310 [**] [1:2260001:1] SURICATA Applayer Wrong direction first Data [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 2.16.88.20:443 -> 192.168.1.109:56456
04/22/2024-09:14:11.516996 [**] [1:2260001:1] SURICATA Applayer Wrong direction first Data [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 2.16.88.20:443 -> 192.168.1.109:56468
It looks like it starts with a scan from 192.168.1.16 to 192.168.1.109.
16 is my laptop but… 109 is not active! does not exist.
Then it tries to send traffic although I don’t understand this entry very well, I suppose it is malicious.
What catches my attention the most and I can’t understand is why then from IP 2.16.88.20 it tries to connect against 192.168.1.109 (which is not alive)
I have searched the internet without much success, it also seems that the ip 2.16.88.20 is not suspected nor is it on blacklists.
Any help please?
