For the past 3 or so months I’ve been noticing entries in Suricata that concern me. Maybe they are benign, but figured I’d throw this out there and see if anyone has/is experiencing this.

There is a pattern to these entries. All of them are listed as 'PROTOCOL-ICMP Destination Unreachable Network Unreachable'. But it’s like there is a cron that fires this off once every hour and 5 +/- minutes.

spoiler 
12/13/2025 16:55:02
12/13/2025 15:50:01
12/13/2025 14:45:01
12/13/2025 13:40:01
12/13/2025 12:35:01
12/13/2025 11:30:01
12/13/2025 10:25:02
12/13/2025 09:20:01
12/13/2025 08:15:01
12/13/2025 07:10:01

These ip ranges are usually from China, Romania, and Singapore. The biggest ‘offender’ being China:

spoiler 
203.119.27.1 was found in our database!
This IP was reported 11 times. Confidence of Abuse is 1%:
ISP 	China Internet Network Information Center
Usage Type 	Data Center/Web Hosting/Transit
ASN 	AS24406
Hostname(s) 	c.dns.cn
Domain Name 	cnnic.cn
Country 	🇨🇳 China
City 	Shanghai, Shanghai

Thing is, these ip’s are usually what I consider ‘clean’. Not a lot of abuse reports. On the surface, I know what 'PROTOCOL-ICMP Destination Unreachable Network Unreachable' means. Pretty self explanatory. What I’m trying to figure out is the why part.

I have gone through my logs, monitored for any calls to these ip’s from inside the network, and I come up empty. Nothing within my network, whether server or other devices, is requesting data from these ip’s. I have no cron set to do such on a hour and 5 minute interval.

So I’m left wondering, is this normal network chatter? Perhaps scraping attempts? Or perhaps breach attempts. So, I sit at the feet of the network experts to be schooled and see if I have something misconfiguration, or if it’s nothing to be worried about, or what the devil is going on.

ETA: Suricata is running in conjunction with pFsense as part of a standalone firewall. ETA2: Also running the evil Cloudflare Tunnel/Zero Trust.

  • non_burglar@lemmy.worldEnglish
    4·
    1 day ago

    We would need more info to help confirm, but watching ids traffic will show you lots of misconfigurations as well as actually suspicious traffic, so this might be a POS device doing stupid stuff.

    Is suricata listening on an internal subnet interface? If you are listening on a public interface, your job sorting through the trash traffic will be difficult because determining source is nearly pointless and your external interface should not know anything about the internal subnet.

    • irmadlad@lemmy.worldOPEnglish
      1·
      1 day ago

      Is suricata listening on an internal subnet interface

      Suricata monitors both WAN & LAN. I also use ntopng for traffic analysis.

      external interface should not know anything about the internal subnet

      All multicast/broadcast are confined to local and are not leaked to the WAN…that I know of. I’m guessing that’s what you are telling me. Again, I do not possess the skills of a seasoned network engineer, which is why I’m consulting with the experts. I just know what I see on my network and investigate/research until I have a broader understanding.