juched
Very Senior Member
Can someone "decode" what is happening here. Is suricata just alerting on my Govee sensor hub but not deeming it a real threat?
Aug 5 08:52:41 RT-AC86U suricata[12058]: [1:2013028:4] ET POLICY curl User-Agent Outbound [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.2.158:29292 -> 18.233.186.252:80
Hard to tell. From what I see:
The Attempted Information Leak rule deals with signatures from potentially damaging information gathering attempts. Information leaks or reconnaissance attacks that are classified as Attempted Information Leaks are not proof positive that an information gathering attempt has been successful. Rather, they are a signal that an attempt has been made—that if the right conditions exist, sensitive information that could aid the attacker in compromising a system has been released.
attempted-recon | Attempted Information Leak | medium |
My gut is that the device using curl in a way that looks suspicous. If the IP 18.233.186.252 is the service it should be talking to, then you can ignore this.