Comment on Network Security Audit
non_burglar@lemmy.world 4 days ago
Running suricata on your wan interface is just generating a ton of noise and will be really confusing for you if you haven’t reviewed packet inspection alerts before. Not a lot of value in it unless you have many users “phoning home”.
Just run it on the lan interface.
irmadlad@lemmy.world 4 days ago
I’ve been told this before. I also acknowledge and appreciate your advice coming from a professional pov. However, here’s the thing…my OCD would never allow me not to know. It would drive me up the wall not knowing. I get what you are saying, and you are right. It is my kryptonite not to know. It is a curse I can tell you.
non_burglar@lemmy.world 4 days ago
OK, well it’s not harming anything, so if you’re game to learn, by all means.
When you look at traffic on a public interface, besides learning what to filter out that is just normal (probes, crawls, etc from legit sources), but you also will run into badly-formed TCP traffic:
Martian packets: en.wikipedia.org/wiki/Martian_packet IP spoofing: en.wikipedia.org/wiki/IP_address_spoofing (I used to have a better resource for this,I’ll try to find it) How RPC works: pentest.co.uk/…/researching-remote-procedure-call…
That should help clarify a lot of what you’ll see in traffic on your segment.
You may also want to briefly read about how CDNs work, you’ll see a lot of akamai and cloudflare traffic too.
irmadlad@lemmy.world 4 days ago
Thank you for the links and guidance. I will definitely read those. Yeah I do see a lot of things like:
So, since I am working within the framework of my own personal shortcomings and have to know, I research them to find out why they get triggered. That way I don’t freak out over them A lot of them are benign and due to normal occurrences between server and user.