Monday, May 9, 2022

SecurityOnion@Home: Alerts Day 1

 After a few reloads I have SecurityOnion 2.3 on my home network.  I have set up a TAP between my Netgear Mesh MR60 and the TP-LINK SG108 Switch.  90% of my traffic is WiFi, with only a few dedicated hard-wired machines.  

Hardwired machines:  My desktop, My Work Computer, Phillips Hue, and backhaul for one of the MS60 (Netgear Mesh).

Wifi: Everything else (TVs, Garage Door, Roku's, Apple TV, Phones (a lot), Tablets, 4x Laptops)

Currently, I am wondering if I should move the TAP from between the LAN/Switch, to the WAN/Modem side.  From there I could possibly create a spanning port on the switch (Which is getting replaced soon with Zyxel GS1100 16) for the rest of the traffic.

Below is my current alerts (I cut off the IPs).    

The first alert I noticed (not in the image) was:

ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted. (IP was my router).  

            * This was because my web access to the router was set at HTTP only, not HTTPS.   

The next batch of alerts are below: 

1.  ET POLICY External Lookup Domain (myip.opendns)  - I use OpenDns for my kids laptops for a some blocking. 

2.  ET POLICY HTTP Traffic on port 443 (This looks like it going to Amazon)  - Identified.

3.  ET TOR Know TOR relay/Router (Not Exit)/Exit Node Group 98 -  Plex Server using the Remote Access Port identified in Settings
        * Read that this could be NTP related, need to identify what it does

4.  ET SCAN MS Terminal Server Traffic on Non-Standard Port  - Plex Server using the Remote Access Port identified in Settings

5.  ET TOR Known TOR exit Node Traffic group 76 - Plex Server using the Remote Access Port identified in Settings


I think I was expecting more alerts on my network, but it could be just the TAP placement.  



No comments:

Post a Comment