Alarms every day Suricata

NethServer Version: 7.5 final
Module: Suricata

Hey Folks,
i receive rom Evebox Messages like this:
ALERT: ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 126 2 [ ET ]
Timestamp 2018-07-12T20:01:03.296647+0200
Protocol UDP Source :123 Destination :44567
Flow ID 2091986620199229 Signature ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 126 Category Misc Attack Signature ID 1: 2522250 :3384 Severity 2

I guess it is something NTP but what i dont get, i have chronyd installed and up and running. so normal the systems inside the network should be synch with it. Maybe someone has an idea :slight_smile:

It seems to be an internal device that wants to sync time via NTP with an external source like

Is your Nethserver? If not it’s the syncing device, maybe you can configure it to sync time with your Nethserver.!msg/security-onion/94wULUciQvQ/6J7w5b6bBAAJ

1 Like

yep, thats is what happen. but i dont know why systems from internal lan try to get it from outside the lan.

no, the is just a device inside the lan. i thought if i have chronyd installed the devices inside the lan would sync with it.

No you have to setup the NTP clients manually to get the time from Nethserver. Samba domain clients could be set to sync with the server AFAIK but other devices (NAS, printers, etc.) have to be configured.

1 Like