Suricata/Unifi IPS confuses Zerotier for Edonkey

Hi all,

From time to time my Unifi gateway IDS/IPS blocks zerotier traffic because it matches an Edonkey signature. I’ve opened a case with Unifi. They pointed me to the Suricata Emerging Threats ruleset.

curl "https://rules.emergingthreats.net/open/suricata-5.0/emerging-all.rules" -slient -o -| grep "ET P2P Edonkey Search Request (search by name)"

Points to this rule:

alert udp $HOME_NET [!3389,1024:65535] -> $EXTERNAL_NET [!3389,1024:65535] (msg:"ET P2P Edonkey Search Request (search by name)"; dsize:>5; content:"|e3 98|"; depth:2; content:"|01|"; within:3; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; classtype:policy-violation; sid:2003319; rev:4; metadata:created_at 2010_07_30, updated_at 2019_07_26;)

I will fill in the Emerging Threats feedback form for this rule, but I guess more information about the ZT packet structure will be necessary to refine this rule. Is it documented somewhere?

Thx,

Timmmy

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.