Suricata detects an unkown TOR activity

i’m using suricata as an IPS
i found this strange connection, i don’t use tor and i didn’t install any tor client or browser (i’m using chrome):
“ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 698 [**] [Classification: Misc Attack] [Priority: 2]”

Which OS are you using? Maybe tor was pre installed in it and enabled by default

1 Like

its Zorin 16 a general purpose os
https://en.wikipedia.org/wiki/Zorin_OS

In addition, i already blocked all traffic to 19302 port (after previous alerts), using my huawei router, i don’t know how these connections are made:
“ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port) [**] [Classification: Attempted User Privilege Gain] [Priority: 1]”

The logs is for network address translation which is basically translating internal IP to external Ip for communicating with the Internet. Even though you blocked one port, it can take some other port. These ports are not fixed and keeps on changing depending on the system services. Also a quick google search will get you the answer of what each log means from suricata docs website.