What should i do with my IDS Logs?

i have recently been gifted a brand new Xbox one game console with 3 games 1TB hard drive and the works. i connected it to the wired interface of my ipfire router
(a PC with all the latest and best network hardware)
and it whenever i started to download games it would stop after a short while and the ids log shows things like:
Date: 05/08 08:54:03
Priority: 1
Type: Potential Corporate Privacy Violation
IP Info: ->
SID: 200****


Date: 05/08 10:22:18
Name: GPL SHELLCODE x86 setgid 0
Priority: 2
Type: A System Call was Detected
IP Info: ->
SID: 210****
so i installed ipfire on a USB flash disk connected it to another modem i have with my ISP and used this configuration with the intrusion prevention system set to monitor only and ran the XboxOne and one of my Fedora Linux PC’s connected to it for approximately 24 hours. then all my games downloaded and the multiplayer more or less just works on both networks

so now i have a on of logs mostly from my XboxOne
my question:

  1. should i just send my firewall logs and IDS logs to my isp internet.abuse@sjrb.ca and tell them i don’t know if the log entry’s are false alarms?
  2. what would you do with your ips logs should i buy services from a network security expert?
    any feedback is welcome


as far as I know, the ET INAPPROPRIATE rely more or less on regular expressions and
are likely to cause false positives. Same goes for GPL SHELLCODE, the game you downloaded
most possibly contained an executable file, so IPS rules trying to find shellcode in it
will most probably trigger.

Same goes for Linux package updates if downloaded via HTTP.

I suggest to re-think your IPS ruleset. More activated rules do not necessarily mean
more security.

You probably want to monitor your IPS logs (located at /var/log/suricata/fast.log) for
hits with private IP addresses involved and/or unusual findings. If your IPFire is directly
connected to the internet, you usually observe a bunch of portscans and similar attacks,
causing too much noise if you do not filter them out.

To give you an idea of a rather quiet day in IPS hits, those were triggered on IPFire
machine behind a DSL connection in Central Europe within 24 hours:

  1 ET DROP Spamhaus DROP Listed Traffic Inbound group XX
  1 GPL DNS named version attempt 
  1 GPL RPC xdmcp info query 
  2 GPL RPC portmap listing UDP 111 
  3 ET SCAN Suspicious inbound to mySQL port 3306 
  4 GPL SNMP public access udp 
 11 ET COMPROMISED Known Compromised or Hostile Host Traffic group XX
 41 ET SCAN Sipvicious User-Agent Detected (friendly-scanner) 
 42 ET SCAN Sipvicious Scan 
 65 ET SCAN Suspicious inbound to MSSQL port 1433 
271 ET DROP Dshield Block Listed Source group XX
476 ET CINS Active Threat Intelligence Poor Reputation IP group XX
567 ET SCAN NMAP -sS window 1024 

Thanks, and best regards,
Peter Müller

1 Like

does anyone see these events created in our IDS system? or is there anonther persone on the other end of this somehow?


does anyone see these events created in our IDS system?

unless he/she/it is able to log into your firewall, no. An attacker might be able to
guess that you are running an IPS by probing it (generate a network packet matching some
signature, and wait for the response), but that’s all.

or is there anonther persone on the other end of this somehow?

It depends, but in most cases: No.

Thanks, and best regards,
Peter Müller

1 Like