Alarms every day Suricata

hucky · 2018-07-13 05:53:24 UTC

NethServer Version: 7.5 final
Module: Suricata

Hey Folks,
i receive rom Evebox Messages like this:
ALERT: ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 126 2 [ ET ]
Timestamp 2018-07-12T20:01:03.296647+0200
Protocol UDP Source 138.201.135.108 :123 Destination 192.168.100.147 :44567
Flow ID 2091986620199229 Signature ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 126 Category Misc Attack Signature ID 1: 2522250 :3384 Severity 2

I guess it is something NTP but what i dont get, i have chronyd installed and up and running. so normal the systems inside the network should be synch with it. Maybe someone has an idea

mrmarkuz · 2018-07-13 11:08:20 UTC

It seems to be an internal device that wants to sync time via NTP with an external source like pool.ntp.org.

Is 192.168.100.147 your Nethserver? If not it’s the syncing device, maybe you can configure it to sync time with your Nethserver.

https://groups.google.com/forum/#!msg/security-onion/94wULUciQvQ/6J7w5b6bBAAJ
https://forum.synology.com/enu/viewtopic.php?t=136854

hucky · 2018-07-13 14:54:13 UTC

yep, thats is what happen. but i dont know why systems from internal lan try to get it from outside the lan.

no, the 192.168.100.147 is just a device inside the lan. i thought if i have chronyd installed the devices inside the lan would sync with it.

mrmarkuz · 2018-07-13 15:04:30 UTC

No you have to setup the NTP clients manually to get the time from Nethserver. Samba domain clients could be set to sync with the server AFAIK but other devices (NAS, printers, etc.) have to be configured.