What Should Ordinary Users Do if They Receive IDS Alerts from Network Equipment?

About once a week, similar posts pop up in the r/Ubiquiti subreddit. Ubiquiti produces networking equipment that comes with an “IDS/IPS” function. I possess some older Ubiquiti devices, therefore I am acquainted with the product.

Once you activate this function, you will start receiving alerts like the one shared by a Redditor:

This is the extent of the information provided by Ubiquiti.

The Redditor is worried that their system might be attempting to breach someone online.

Here is my response on how to manage these alerts.

This serves as another instance where these types of alerts are nearly useless for the majority of users.

The crucial part is seeking to comprehend what MIGHT have triggered the alert. CVEs, etc., are not pertinent at this moment.

One approach to grasp some insight into the situation is as follows.

Visit

https://rules.emergingthreats.net/open/suricata-7.0.3/rules/

Obtain the file that corresponds to the initial segment of the alert. In this case, that would be EXPLOIT.

https://rules.emergingthreats.net/open/suricata-7.0.3/rules/emerging-exploit.rules

Identify the rule that was triggered. This might require some investigation. This is the process I followed.

grep -i possible emerging-exploit.rules | grep -i log4j | grep -i obfuscation | grep -i udp | grep -i outbound

Here is the output.

alert udp $HOME_NET any -> any any (msg:”ET EXPLOIT Possible Apache log4j RCE Attempt – 2021/12/12 Obfuscation Observed M2 (udp) (Outbound) (CVE-2021-44228)”; content:”|24 7b|”; content:”|24 7b 3a 3a|”; within:100; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034805; rev:3; metadata:attack_target Server, created_at 2021_12_18, cve CVE_2021_44228, deployment Perimeter, deployment Internal, signature_severity Major, tag Exploit, updated_at 2023_06_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

You can disregard 90% of this content. The crucial parts are:

content:”|24 7b|”; content:”|24 7b 3a 3a|”; within:100

and here:

udp $HOME_NET any -> any any

Now, you need to speculate how probable it is that there might be ANY UDP traffic originating from your home network to any destination, on any port, containing this particular string

24 7b

followed by this string

24 7b 3a 3a

within the next 100 bytes?

I believe there is a reasonable chance that such a scenario could occur in random, ordinary traffic.

Therefore, without any additional evidence, I suggest disregarding this alert.

If you wish to enhance your understanding in the future, feel free to explore any content I have written regarding network security monitoring. Best of luck!

This is precisely why I have advocated for network security monitoring since 1998 and subtitled my initial book “Beyond Intrusion Detection.” Network intrusion detection, on its own, without adequate supporting data and lacking rule explanations, is incredibly ineffective.

Fortunately, in this instance, the provider utilizes an open rule set, allowing for this somewhat limited investigation.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts