Every time I connect to Tailscale, immediately our intrusion detection system triggers an alert that an intrusion is coming from my computer. Unfortunately Unifi gives close to zero detail about what intrusion they detected, but I have the full high-sensitivity setting enabled.
If I disable the Services Collection capability, the IDS is not triggered. I thought the Services Collection feature ran locally on the device to detect what services were running. Is there also some network scanning happening?
Services collection should be running locally.
My expectation would be that on high sensitivity it will trigger on STUN probes. We use that to determine your external IP address and port number for NAT traversal, as well as detecting the round trip time to each DERP relay so that the closest one is used.
I don’t have an explanation for services collection changing if the IDS triggers. Maybe the IDS remembers recent activity and only triggers once every so often, so changing the setting looks like it prevents the alerts?