Security Onion detecting traffic from strange networks

[pgatty]

I'm fairly new to Security Onion, so please forgive me if this has been covered before, but I'm trying to understand why I'm seeing traffic from strange IP's in SO.

Yesterday I reinstalled Security Onion on a VM running in my home lab. My previous setup was only monitoring traffic from 10.0.0.0/8 as that's the network in use across my various vlans. This time I took the default settings of 10.0.0.0/8,192168.0.0/16,172.16.0.0/12. Since the reinstall, I'm detecting traffic from private IP addresses that are outside the network ranges used in my networks. Specifically I'm seeing source IP and destination IP traffic from 192.168.10.0/24 and 192.168.3.0/24 and I'm trying to understand how I can be picking up this traffic.

Here's how my network is configured.

Router - pfsense XG7100
Switch - Unfi US-48

Physical Cabling
Cable Modem --> WAN on XG7100 / LAN on XG7100 ---> Unifi Switch Port 10. All traffic between VLAN's and to the internet is trunked over this connection.

VLAN's
LAN 10.255.255.0/24 - This is my trusted network segment. Certain hosts on this network can access the other VLAN's
GUEST 10.255.251.0/25 - This supports my wireless guests. This VLAN can only talk to the internet.
IOT 10.255.250.0/24 - IoT devices live here and this VLAN can only talk to the internet.
CAMERA 10.255.253.1 - This is where my security cameras live. This VLAN cannot talk to the internet or other VLANs

Security Onion
Security Onion is running on a VM hosted on ESXi. I've created a virtual switch running in promiscuous mode and assigned an open port from the ESXi host. I created a port mirror on the switch for port 10 and cabled that into the open port on the ESXi host assigned to the virtual switch. The VM's monitoring port is on this virtual switch and configured with the special VMware VLALN All (4095). With this setup I can see traffic from all my networks.

I'm confused as to why I'm seeing traffic from 192.168.10.0/24 and 192.168.3.0/24 talking to IP's on the internet and each other. I've plugged a laptop into my various VLAN's and assigned it IP's in the 192.168.10.0/24 and 192.168.3.0/24 network ranges using valid default gateway settings and I can't connect to the internet or ping any of the IP's Security Onion is detecting in the 192.168.10.0/24 and 192.168.3.0/24 subnets. I've also checked my Unifi Controller which keeps track of every wired and wireless client on my network and it doesn't see any clients in the 192.168.10.0/24 and 192.168.3.0/24 subnets. When I configured the laptop with IP's in 192.168.10.0/24 and 192.168.3.0/24 subnets, the Unifi controller picked it up.

My firewall rules are very locked down with no inbound ports or protocols open from the internet to any VLAN. Outbound traffic from the LAN, GUEST and IOT to the internet is unrestricted.

[pgatty]

Digging a bit deeper, all the traffic from these strange subnets is only showing up from a very narrow window of time as I was doing the final setup of the of the reinstalled Security Onion Instance. As part of that work I ran so-test. It appears these alerts came from the sample PCAP's. Sorry for wasting people's time. #feelingstupid

[bird2473]

Thanks for posting this. I was going down the same path this week and was freaking out.