Security Onion Host generating IP Spoof. (how to find) <low priority not service impacting>

[wilmerism]

I say low priority as this is in a home lab environment, dosent matter if no fix.

Security onion 2.3.200. is on hyper V. Host IP is 192.168.100.30. (the LAN is 192.168.100.x/24)

Im getting alert on my router >>
1 2023-01-23 10:19:17 172.17.0.7:43748 185.199.108.133:443
crit adp ACCESS BLOCK
Rule_id:2 from LAN1 to Any, [type:IP-Decoder(25)] ip-spoof Action:Drop Packet

The Source IP of 172.17.0.7 does not exist anywhere on my network.

On investigating be by a packet cap looking with wireshark, the MAC address its coming from is my security onion VM.
its a process "docker-proxy" doing -proto,tcp,-host-ip,0.0.0.0,-host-port,3000,-container-ip,172.17.0.7,-container-port,3000

Why would this come out of the NIC of security onion and not though docker routing and present source as 192.168.
100.30 ?

[eb-op]

Hello wilmerism, the cause of this is because docker is running in bridge mode. By default, this is configured in Security Onion as seen here: https://docs.securityonion.net/en/latest/docker.html#networking-and-bridging (.) Also mentioning the Docker documentation for further guidance: https://docs.docker.com/network/bridge/ (.) This bridge network is set to allow the docker containers connected to it to allow the containers to talk to each other. The docker-proxy is a port-forward, it just allows Docker to map a port within a container to a host port.

Hope this helps!