First Threat Prevention Alert

[SpeedThree]

Hope some kind soul is having a quiet moment and can take a shot at providing some advice.

Yesterday, on my Synology RT2600AC router, I installed the Threat Prevention Package.

Today, I received this alert:

The following suspicious network event was dropped:

Event Type: Attempted User Privilege Gain
Signature: ET INFO Session Traversal Utilities for NAT (STUN Binding Request)
Severity: HIGH
Source IP: 192.168.1.5
Destination IP: 52.23.111.175

Opening the Synology SRM, I see that the Severity is listed as High and the Status is Drop and this info was also provided.

alert udp $HOME_NET any -> $EXTERNAL_NET 3478 (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Request)";
content:"|00 01|";
depth:2; content:"|21 12 a4 42|";
distance:2;
within:4;
reference:url,tools.ietf.org/html/rfc5389;
classtype:attempted-user; sid:2016149;
rev:2; metadata:created_at 2013_01_04, updated_at 2013_01_04

Is the wisest thing to do click on the Add Policy button at the top of that Synology page and click OK???

Many thanks.

 

[coxhaus]

I don't know anything about Synology routers but what you posted with your attempted access is from an inside your network IP address 192.168.1.5 to an outside IP address 52.23.111.175 the destination. Is 52.23.111.175 your router IP address by chance? Maybe it is just logging you are accessing your router.

 

[WiFiNemesis]

I have considerable experience with the Synology implementation, though I stopped using it when SRM 1.2 came along as a step in stabilizing the router. I haven't turned it back on...

This particular alert can occur when merely browsing Amazon or using video conferencing apps, among other things. Since STUN is often used for real-time voice, video, messaging, and other interactive communications, it's likely a false positive - I ultimately set the alert to "Do nothing."

You will find that dealing with Threat Prevention will require a great deal of your time and considerable expertise in deciphering the alerts. There used to be a post on the old Synology forum that explained how to go about interpreting signatures and verifying alerts (to the extent you can), but I couldn't find it for you (regrettably none of the historical stuff got transferred to the new forum).

 

[WiFiNemesis]

SpeedThree, came across an old link with a procedure for assessing Threat Prevention alerts: https://forum.synology.com/enu/viewtopic.php?p=536015#p536015.

(The context is from when a beta version of Threat Protection went bonkers, but still pertains.)

 

[SpeedThree]

My apologies for not thanking all you who responded to my queston: a family emergency is the cause.
So, many thanks for those informative replies.
After following the link from WiFi Nemesis, I can only conclude that the inner workings of routers are well beyond the likes of mere mortals such as I.
I'll leave the Threat Prevention Package installed and scan the email alerts, and leave it at that.