community.ui.com
Open in
urlscan Pro
2600:9000:24f3:2800:1f:7c20:b2c0:93a1
Public Scan
URL:
https://community.ui.com/questions/IPS-ThunderNetwork/1a38429a-5ee1-4493-901a-f5ff1d95c2b8
Submission: On November 01 via manual from US — Scanned from US
Submission: On November 01 via manual from US — Scanned from US
Form analysis
0 forms found in the DOMText Content
CommunityTopicsStoriesReleasesSupport Sign upLog in Back Ask a related question Posted 4 years agoLast Activity 6 months ago IPS: THUNDERNETWORK 3 1311k CommentFollow I keep getting the following IPS alert. It's happened at at least two sites: Message: IPS Alert 1: Potential Corporate Privacy Violation. Signature ET P2P ThunderNetwork UDP Traffic. From: fe80:0000:0000:0000:xxxx:xxxx:xxxx:xxxx:xxxxx, to: ff02:0000:0000:0000:0000:0000:0001:0003:5355, protocol: UDP the x's are variable. These sites aren't using IPv6, and I have no idea how to track this down, or what it's trying to tell me. Any ideas? RESPONSES (13) Sort by NewestOldest Page 1 L littlewolf 4 years ago They are using IPv6 at minimum on your LANs, even when you believe they are not since you did not set up any IPv6 on your router. IPv6 has been the preferred protocol in any decent OS for years. The above is LLMNR traffic. 0 B bsullo 4 years ago Yes, I realize all the systems have IPv6 enabled. I meant that the router has no IPv6 configured on its interfaces. So, this is normal, internal traffic. Why is IPS detecting it as traffic to a specific P2P service? 0 L littlewolf 4 years ago You are welcome to read the ET signature to determine why. https://doc.emergingthreats.net/bin/view/Main/2009099 As for why is it hitting the USG - well, because it's multicast. IDS/IPS is not a set and forget feature, you need to whitelist obvious false positives and broken signatures. 0 B bsullo 4 years ago Okay. How would I have ever connected that alert to the URL you provide? There's nothing in the alert that says where to go for more information. Also, when I open that URL, what am I looking at? It's all gibberish without some sort of context. 0 L littlewolf 4 years ago There's extensive documentation available on the Suricata rules. Have fun. 😁 IMHO this feature lacks a big red warning that it's not intended for everyone. You are going to have hard time tweaking the setup to not interfere with your legitimate usage patterns when it's "all gibberish" to you. -1 B bsullo 4 years ago You don't need to be condescending. I'm not an idiot, just not familiar with this system yet. There is nothing in the Ubiquiti IPS alerts that says they have anything to do with the sites you referenced. How would anyone new to Ubiquiti IPS know this unless someone tells them? Thank you for telling me. The site you referenced is code. It would be gibberish to anyone without the proper key. I'm guessing the Security Rules page holds that key (though I don't know what Securita is, or how it factors into the Unifi IPS system). 4 L littlewolf 4 years ago Suricata is the IPS. That was not meant to be condescending, that was a statement of fact. Do yourself a favour and run that as IDS only, not as IPS -- until you get a whole lot more familiar with that thing and false positives. Takes weeks to tune, requires monitoring even after that since any buggy new or updated rule can completely kill your internet access (e.g., by blocking legitimate DNS servers). An overzealous choice of rule categories can be disastrous as well. If you are not willing to invest a lot of time into learning, you'll be a whole lot better off disabling that feature altogether. Suricata/Snort IDS/IPS are not a consumer level feature, at all. Turns into a nightmare and useless resource hog and nuisance when used as such. There absolutely should a big red warning about these facts. 0 B bsullo 4 years ago Forgive my jumping to interpretations. So far, we're running IPS at 9 sites with all categories full on. We've had a number of false positives, but nothing disruptive. In fact, I sometimes wonder if it's actually blocking, since we get alerts for things like "GPL CHAT Jabber/Google Talk Outgoing Traffic" and "ET CHAT Skype User-Agent detected", yet no one has ever complained of Google Talk or Skype not working. Now that I know that at least some of the signatures can be found at the Emerging Threats site (Still not sure of the relationship between EmergingThreats.net, Securita, and Unifi.), and now that I understand how to interpret the signatures, I see "ET CHAT Skype User-Agent detected" has an "alert" action, rather than a "drop" action. It would be really nice if Unifi's alerts informed you of what it actually did with the traffic it's alerting you to. Others on this forum have stated that having IPS turned on (as opposed to IDS) it blocks everything it alerts for, but I wonder if that's acutally true. I could not find the "GPL CHAT Jabber/Google Talk Outgoing Traffic" at EmergingThreats.net, and I assume that has something to do with the "GPL" as opposed to "ET" at the start of the message. If only I knew what GPL stood for . . . 3 L littlewolf 4 years ago - Suricata - the IDS/IPS software. (Snort is the other major open-source IDS/IPS). - Emerging Threats (ET) - publishes some rulesets that can be used by Snort/Suricata. There's a free ET ruleset, there's a paid (ET Pro) one. The free one is basically one month behind the paid option. Then there are also other rulesets available from Snort - community (GPL) and paid - made for Snort but mostly compatible with Suricata (the incompatible ones will be simply ignored). Finally, you can also write your own rules in case you have the knowledge. - UBNT only plugs into those, provisioning YAML configuration for Suricata based on your GUI configuration. - IDS will only alert. Now with IPS, you can either use the policy keywords defined in the rules (connectivity, balanced, security, none) to choose what to block (e.g., the rule can have Block action defined for security policy, and Alert action for the remaining policies), or choose your own rule actions. What's exactly UBNT doing here, I don't know. You need to ask them directly or dig into configuration via shell. Understanding what's exactly being done here is of course critical. This needs to be documented. Plus whole lot more configurable. And also absolutely requires that you can define the interfaces where Suricata should run. With no HW offloading possible, combined with lack of L3 switching, running Suricata on all interfaces (which apparently is the case at the moment), this is totally a network performance killer. 5 A ablade75 7 months ago Apologies for the bump, but I think this is a bug. We have exactly the same alert, with exactly the same IPv6 addresses (it was a search for the IPv6 that lead me here), generated 2 days ago. 1 G gwatson1 7 months ago @bsullo "You don't need to be condescending. I'm not an idiot, just not familiar" From someone who feels like he is in a similar position - sometimes the cause/effect isn't always directly linked - I received the same threat alerts - and I "perceive" that they disappeared when I unlinked port "Link Aggregation" on multiple poe ports on a USW Pro 24 POE switch ... Above someone basically told you that we have IPv6 dns multicast resolution generating an error over one of our switches ... I am sure someone much smarter than I could interpret that "fe80:xxx...." address style source that you and I received in our alerts and probably tell us that the device source isn't what you and I think of as a physical device on our network ... So - try what I did and see if you can did through what is happening on your Layer 3 switches that can do the routing at that level - and then you can find narrow the source ... In my case - the solution was to configure the device on the other side of the link-aggregation to only use IPv4 and my alerts went away ... I am sure there are dozens of variations off this type of theme ... where the source of the problem does not directly reflect the alert we receive - and the alert we receive has what appears to be an unidentifiable source ... DrG 0 G genexpieguy 6 months ago FWIW, I just had one of these as well. Exactly the same as indicated in the first post. I'm not knowledgeable enough to know exactly what it is, but knowledgeable enough not to panic over it. 0 acelis 6 months ago I'm having the same issue. The UniFi Alert actually doesn't give you all of the details. I actually have an API call that pulls the full IPS alert record... which actually includes the MAC addresses of the source and destination devices. Here is an example of the full alert record: UniFi Network Alarm at [REDACTED] Date and time of alarm: 2022-04-30T00:33:36Z Message: IPS Alert 1: Potential Corporate Privacy Violation. Signature ET P2P ThunderNetwork UDP Traffic. From: fe80:0000:0000:0000:101e:6680:3b64:ae91:65077, to: ff02:0000:0000:0000:0000:0000:0001:0003:5355, protocol: UDP full alarm details: { "_id": "626c83e1788b2a1f300283d9", "archived": false, "timestamp": 1651278816, "flow_id": 1475589766651247, "in_iface": "eth1", "event_type": "alert", "src_ip": "fe80:0000:0000:0000:101e:6680:3b64:ae91", "src_mac": "a4:bb:6d:b9:d4:2e", "src_port": 65077, "dest_ip": "ff02:0000:0000:0000:0000:0000:0001:0003", "dst_mac": "33:33:00:01:00:03", "dest_port": 5355, "proto": "UDP", "app_proto": "failed", "host": "b4:fb:e4:cc:c6:20", "usgip": "[REDACTED]", "unique_alertid": "928214190-2022-04-29T19:33:36.073071-0500", "srcipGeo": [], "dstipGeo": [], "usgipGeo": { "continent_code": "NA", "country_code": "US", "country_name": "United States", "city": "Houston", "latitude": 29.69, "longitude": -95.2564, "asn": 7922, "organization": "COMCAST-7922" }, "usgipCountry": "US", "usgipASN": "7922 COMCAST-7922", "catname": "emerging-p2p", "inner_alert_action": "allowed", "inner_alert_gid": 1, "inner_alert_signature_id": 2009099, "inner_alert_rev": 4, "inner_alert_signature": "ET P2P ThunderNetwork UDP Traffic", "inner_alert_category": "Potential Corporate Privacy Violation", "inner_alert_severity": 1, "key": "EVT_IPS_IpsAlert", "subsystem": "www", "is_negative": true, "site_id": "5cbf48bcf2d1ef0790fd55fc", "time": 1651278816000, "datetime": "2022-04-30T00:33:36Z", "msg": "IPS Alert 1: Potential Corporate Privacy Violation. Signature ET P2P ThunderNetwork UDP Traffic. From: fe80:0000:0000:0000:101e:6680:3b64:ae91:65077, to: ff02:0000:0000:0000:0000:0000:0001:0003:5355, protocol: UDP" } Here's the thing. I run a full UniFi stack and IPv6 is disabled on the WAN interface and on the LAN and VLAN interfaces IPv6 is set to none. I inspected the source PC of this traffic and couldn't find anything that might trigger this. Even at the time of the alarm, the PC was idle with no under intervention for some time. I did see that the source PC did have IPv6 enabled in it's ethernet adapter settings. I'm going to try disabling that and see if it stops these alarms. 0 Page 1 YOUR RESPONSE Write your response here ... Comment B bsullo 4 years ago TAGS UniFiUniFi Routing & Switching UI.com Community feedbackTerms of ServicePrivacy PolicyLegal © 2022 Ubiquiti, Inc. All Rights Reserved. PRIVACY PREFERENCE CENTER When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer. More Information Allow All MANAGE CONSENT PREFERENCES FUNCTIONAL COOKIES Always Active These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly. PERFORMANCE COOKIES Always Active These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance. TARGETING COOKIES Always Active These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising. STRICTLY NECESSARY COOKIES Always Active These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information. BACK BUTTON PERFORMANCE COOKIES Vendor Search Search Icon Filter Icon Clear checkbox label label Apply Cancel Consent Leg.Interest checkbox label label checkbox label label checkbox label label * 33ACROSS HOST DESCRIPTION VIEW COOKIES * Name cookie name * 33ACROSS View Privacy Notice Confirm My Choices