Unable to track source of alerts #365

Taomyn · 2024-08-22T17:49:30Z

Taomyn
Aug 22, 2024

Since recently upgrading my Fedora Server 40 machine and also not long after adding a couple of new containers, I've been getting these two alerts once or twice per day, but I can't figure out the source of it on the server:

{"dst_host": "192.168.1.27", "dst_port": "5355", "local_time": "2024-08-22 17:05:21.972503", "local_time_adjusted": "2024-08-22 19:05:21.972556", "logdata": {"DF": "", "ID": "21543", "IN": "enp6s18", "LEN": "64", "MAC": "bc:redacted:00", "OUT": "", "PREC": "0x00", "PROTO": "TCP", "RES": "0x00", "SYN": "", "TOS": "0x00", "TTL": "1", "URGP": "0", "WINDOW": "64240"}, "logtype": 5001, "node_id": "frink-01", "src_host": "192.168.1.70", "src_port": "43978", "utc_time": "2024-08-22 17:05:21.972547"}


{"dst_host": "192.168.1.27", "dst_port": "5355", "local_time": "2024-08-22 17:05:22.304284", "local_time_adjusted": "2024-08-22 19:05:22.304313", "logdata": {"DF": "", "ID": "21543", "IN": "enp6s18", "LEN": "64", "MAC": "bc:redacted:00", "OUT": "", "PREC": "0x00", "PROTO": "TCP", "RES": "0x00", "SYN": "", "TOS": "0x00", "TTL": "1", "URGP": "0", "WINDOW": "64240"}, "logtype": 5001, "node_id": "frink-01", "src_host": "192.168.1.70", "src_port": "43978", "utc_time": "2024-08-22 17:05:22.304307"}

I ran a tcpdump on the Fedora server hoping to get the virtual IP of whichever container could be the culprint but it's always coming from the main IP of the server. Here's a sample:

[root@maggie ~]# tcpdump -i any -c 100 -A -v host 192.168.1.27
tcpdump: data link type LINUX_SLL2
dropped privs to tcpdump
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
19:05:21.778668 enp6s18 B   ARP, Ethernet (len 6), IPv4 (len 4), Request who-has frink.mydomain.com tell bart.mydomain.com, length 46
.........$.xT.................................
19:05:21.971894 enp6s18 Out IP (tos 0x0, ttl 1, id 21543, offset 0, flags [DF], proto TCP (6), length 64)
    maggie.mydomain.com.43978 > frink.mydomain.com.llmnr: Flags [S], cksum 0x83e4 (incorrect -> 0x29c3), seq 1800867850, win 64240, options [mss 1460,sackOK,TS val 1587335647 ecr 0,nop,wscale 7,tfo  cookiereq,nop,nop], length 0
E..@T'@........F........kW.
...................
^..........."...
19:05:21.972096 enp6s18 In  IP (tos 0x0, ttl 1, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    frink.mydomain.com.llmnr > maggie.mydomain.com.43978: Flags [S.], cksum 0x83e0 (incorrect -> 0xaa8f), seq 1229659842, ack 1800867851, win 65160, options [mss 1460,sackOK,TS val 1876088497 ecr 1587335647,nop,wscale 7], length 0
E..<..@....
.......F....IK..kW.................
o...^.......
19:05:21.972134 enp6s18 Out IP (tos 0x0, ttl 1, id 21544, offset 0, flags [DF], proto TCP (6), length 52)
    maggie.mydomain.com.43978 > frink.mydomain.com.llmnr: Flags [.], cksum 0x83d8 (incorrect -> 0xd5ee), ack 1, win 502, options [nop,nop,TS val 1587335647 ecr 1876088497], length 0
E..4T(@........F........kW..IK.............
^...o...
19:05:21.972173 enp6s18 Out IP (tos 0x0, ttl 1, id 21545, offset 0, flags [DF], proto TCP (6), length 97)
    maggie.mydomain.com.43978 > frink.mydomain.com.llmnr: Flags [P.], cksum 0x8405 (incorrect -> 0xcf15), seq 1:46, ack 1, win 502, options [nop,nop,TS val 1587335647 ecr 1876088497], length 45
E..aT)@........F........kW..IK.............
^...o....+.............27.1.168.192.in-addr.arpa.....
19:05:21.972273 enp6s18 In  IP (tos 0x0, ttl 1, id 12013, offset 0, flags [none], proto TCP (6), length 52)
    frink.mydomain.com.llmnr > maggie.mydomain.com.43978: Flags [.], cksum 0x83d8 (incorrect -> 0xd5ba), ack 46, win 509, options [nop,nop,TS val 1876088497 ecr 1587335647], length 0
E..4.......&.......F....IK..kW.8...........
o...^...
19:05:23.221841 enp6s18 Out IP (tos 0x0, ttl 1, id 21546, offset 0, flags [DF], proto TCP (6), length 52)
    maggie.mydomain.com.43978 > frink.mydomain.com.llmnr: Flags [F.], cksum 0x83d8 (incorrect -> 0xd0de), seq 46, ack 1, win 502, options [nop,nop,TS val 1587336897 ecr 1876088497], length 0
E..4T*@........F........kW.8IK.............
^...o...
19:05:23.222069 enp6s18 In  IP (tos 0x0, ttl 1, id 12014, offset 0, flags [none], proto TCP (6), length 52)
    frink.mydomain.com.llmnr > maggie.mydomain.com.43978: Flags [F.], cksum 0x83d8 (incorrect -> 0xcbf4), seq 1, ack 47, win 509, options [nop,nop,TS val 1876089747 ecr 1587336897], length 0
E..4.......%.......F....IK..kW.9...........
o...^...
19:05:23.222103 enp6s18 Out IP (tos 0x0, ttl 1, id 21547, offset 0, flags [DF], proto TCP (6), length 52)
    maggie.mydomain.com.43978 > frink.mydomain.com.llmnr: Flags [.], cksum 0x83d8 (incorrect -> 0xcbfb), ack 2, win 502, options [nop,nop,TS val 1587336897 ecr 1876089747], length 0
[email protected].............
^...o...
19:05:27.449036 enp6s18 In  ARP, Ethernet (len 6), IPv4 (len 4), Request who-has maggie.mydomain.com tell frink.mydomain.com, length 28
.........$.!.C.............F
19:05:27.449048 enp6s18 Out ARP, Ethernet (len 6), IPv4 (len 4), Reply maggie.mydomain.com is-at bc:redacted:aa (oui Unknown), length 28
.........$.......F.$.!.C....
^..........."...
19:05:21.972096 enp6s18 In  IP (tos 0x0, ttl 1, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    frink.mydomain.com.llmnr > maggie.mydomain.com.43978: Flags [S.], cksum 0x83e0 (incorrect -> 0xaa8f), seq 1229659842, ack 1800867851, win 65160, options [mss 1460,sackOK,TS val 1876088497 ecr 1587335647,nop,wscale 7], length 0
E..<..@....
.......F....IK..kW.................
o...^.......
19:05:21.972134 enp6s18 Out IP (tos 0x0, ttl 1, id 21544, offset 0, flags [DF], proto TCP (6), length 52)
    maggie.mydomain.com.43978 > frink.mydomain.com.llmnr: Flags [.], cksum 0x83d8 (incorrect -> 0xd5ee), ack 1, win 502, options [nop,nop,TS val 1587335647 ecr 1876088497], length 0
E..4T(@........F........kW..IK.............
^...o...
19:05:21.972173 enp6s18 Out IP (tos 0x0, ttl 1, id 21545, offset 0, flags [DF], proto TCP (6), length 97)
    maggie.mydomain.com.43978 > frink.mydomain.com.llmnr: Flags [P.], cksum 0x8405 (incorrect -> 0xcf15), seq 1:46, ack 1, win 502, options [nop,nop,TS val 1587335647 ecr 1876088497], length 45
E..aT)@........F........kW..IK.............
^...o....+.............27.1.168.192.in-addr.arpa.....
19:05:21.972273 enp6s18 In  IP (tos 0x0, ttl 1, id 12013, offset 0, flags [none], proto TCP (6), length 52)
    frink.mydomain.com.llmnr > maggie.mydomain.com.43978: Flags [.], cksum 0x83d8 (incorrect -> 0xd5ba), ack 46, win 509, options [nop,nop,TS val 1876088497 ecr 1587335647], length 0
E..4.......&.......F....IK..kW.8...........
o...^...
19:05:23.221841 enp6s18 Out IP (tos 0x0, ttl 1, id 21546, offset 0, flags [DF], proto TCP (6), length 52)
    maggie.mydomain.com.43978 > frink.mydomain.com.llmnr: Flags [F.], cksum 0x83d8 (incorrect -> 0xd0de), seq 46, ack 1, win 502, options [nop,nop,TS val 1587336897 ecr 1876088497], length 0
E..4T*@........F........kW.8IK.............
^...o...
19:05:23.222069 enp6s18 In  IP (tos 0x0, ttl 1, id 12014, offset 0, flags [none], proto TCP (6), length 52)
    frink.mydomain.com.llmnr > maggie.mydomain.com.43978: Flags [F.], cksum 0x83d8 (incorrect -> 0xcbf4), seq 1, ack 47, win 509, options [nop,nop,TS val 1876089747 ecr 1587336897], length 0
E..4.......%.......F....IK..kW.9...........
o...^...
19:05:23.222103 enp6s18 Out IP (tos 0x0, ttl 1, id 21547, offset 0, flags [DF], proto TCP (6), length 52)
    maggie.mydomain.com.43978 > frink.mydomain.com.llmnr: Flags [.], cksum 0x83d8 (incorrect -> 0xcbfb), ack 2, win 502, options [nop,nop,TS val 1587336897 ecr 1876089747], length 0
[email protected].............
^...o...
19:05:27.449036 enp6s18 In  ARP, Ethernet (len 6), IPv4 (len 4), Request who-has maggie.mydomain.com tell frink.mydomain.com, length 28
.........$.!.C.............F
19:05:27.449048 enp6s18 Out ARP, Ethernet (len 6), IPv4 (len 4), Reply maggie.mydomain.com is-at bc:redacted:aa (oui Unknown), length 28
.........$.......F.$.!.C....
19:26:44.744326 enp6s18 B   ARP, Ethernet (len 6), IPv4 (len 4), Request who-has frink.mydomain.com tell NELSON.mydomain.com, length 46
..........Me..................................

FRINK/192.168.1.27 is my opencanary and MAGGIE/192.168.1.70 is my Fedora 40 server.

I'm seeing LLMNR mentioned in the the dump and that led me to discover that LLMNR was a recently added config for opencanary but I have not configured it, nor can I find any opencanary documentation on it explaining what it's doing. Maybe by default it's not well configured, but I want to know more about it before I do.

I've tried eliminating LLMNR on the server but it's either not working or it is and it's not the cause. None of my other servers/devices are causing alerts on my opencanary.

Anyone able to help me?

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Unable to track source of alerts #365

{{title}}

Replies: 0 comments

Select a reply

Unable to track source of alerts #365

Taomyn Aug 22, 2024

Replies: 0 comments

Taomyn
Aug 22, 2024