Comment

OK, well it’s not harming anything, so if you’re game to learn, by all means.

When you look at traffic on a public interface, besides learning what to filter out that is just normal (probes, crawls, etc from legit sources), but you also will run into badly-formed TCP traffic:

Martian packets: en.wikipedia.org/wiki/Martian_packet IP spoofing: en.wikipedia.org/wiki/IP_address_spoofing (I used to have a better resource for this,I’ll try to find it) How RPC works: pentest.co.uk/…/researching-remote-procedure-call…

That should help clarify a lot of what you’ll see in traffic on your segment.

You may also want to briefly read about how CDNs work, you’ll see a lot of akamai and cloudflare traffic too.

source

Sort:hotnew top

irmadlad@lemmy.world ⁨4⁩ ⁨days⁩ ago
That should help clarify a lot of what you’ll see in traffic on your segment.

Thank you for the links and guidance. I will definitely read those. Yeah I do see a lot of things like:

SURICATA STREAM FIN2 FIN with wrong seq (this is from local chatter)

ET INFO DNS Query for Suspicious .ml Domain (must check out this suspicious domain /s)

ET INFO Observed DNS Query to .world TLD (same as above)

SURICATA STREAM Packet with invalid timestamp (local chatter - common triggered event from what I understand)

SURICATA STREAM FIN invalid ack (known domain speedtest)

So, since I am working within the framework of my own personal shortcomings and have to know, I research them to find out why they get triggered. That way I don’t freak out over them A lot of them are benign and due to normal occurrences between server and user.
source