I found a bunch of outgoing consecutive GPL CHAT Jabber/Google Talk Outgoing Traffic packets on my LAN interface in my pfSense Suricata log today and found it rather interesting. Although Suricata doesn’t seem to think it’s suspicious based on the class message it returned, I do.
The IP from which the traffic originated from was my iPhone. Moreover, I don’t have Jabber or Google talk installed on it. Still yet, the destination IP address was ec2-54-159-108-26.compute-1.amazonaws.com.
The only thing I was doing on the phone around that time was using the Flickr and 500px apps to catch up on some postings. I might have also opened up Safari to look something up. But why would any of these things use Jabber or Google Talk, and why would it go to Amazon Web Services? I get they may have a service running on their servers that provides Jabber or Google Talk services, but why would either of these apps use it? That’s what’s got me scratching my head.
Maybe Suricata labeled the traffic incorrectly, meaning, it really wasn’t Jabber or Google Talk and fired the rules on the wrong data. Might just be a false positive. Then again, Google Talk and Jabber traffic is pretty easy to identify and it’s not like it was one packet. It was a lot (more than what’s shown on the image above).
Since no one on my LAN uses Jabber or Google Talk, I’ve enabled and issued a drop action on that rule. I’ll be keeping an eye out to see if they pop up again. There has been no impact to Flickr, 500px or Safari on my iPhone.
UPDATE: Encountering a lot more traffic related to this rule. It’s all being dropped and the kids/wife are not complaining. So me dropping the packets doesn’t seem to be causing anything to break.