• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

TLS Suspicious Extension

Traffic Monitoring
5
18
2.5k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • D
    Digiguy
    last edited by Digiguy Feb 2, 2024, 7:50 PM Feb 2, 2024, 7:49 PM

    I am getting loads of these Alerts. Are they dangerous? if not dangerous can I stop them from happening? If they are dangerous how do I get to the root of the problem? Not sure how to do either. I do see what computer they are coming. Any advice would be appreciated.

    J 1 Reply Last reply Feb 3, 2024, 3:14 AM Reply Quote 0
    • J
      johnpoz LAYER 8 Global Moderator @Digiguy
      last edited by johnpoz Feb 3, 2024, 3:16 AM Feb 3, 2024, 3:14 AM

      @Digiguy what are you seeing exactly, and where?

      Is this some IPS/IDS alert? If so can move this thread to that section.. Could you post a screenshot of what your seeing exactly.

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

      N 1 Reply Last reply Feb 3, 2024, 9:27 AM Reply Quote 0
      • N
        NogBadTheBad @johnpoz
        last edited by Feb 3, 2024, 9:27 AM

        Think it’s a ntopng warning:-

        TLS Suspicious Extension

        Checks for suspicious tls esni usage.

        The alert notifies when the domain name (SNI extension) is not printable and thus it is a problem.

        Category:Cybersecurity

        Andy

        1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

        J 1 Reply Last reply Feb 3, 2024, 12:12 PM Reply Quote 1
        • J
          johnpoz LAYER 8 Global Moderator @NogBadTheBad
          last edited by johnpoz Feb 3, 2024, 12:16 PM Feb 3, 2024, 12:12 PM

          @NogBadTheBad ah, ok in the right section.

          That alert would depend on where your going.. IDN (internationalized domain name) might be normal for the domains your using..

          I would look to what domain your actually going to, if that is normal traffic for your network - then silence the alert if you don't want to see it.. If its not normal, then yeah you got something going on you should look into.

          The problem with IDNs - is it is possible to spoof what likes like domain X say in your browser, but is really domain Y.. So yeah probably prudent to check it the alerts out to make sure your devices/clients are going to where they should be going.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

          D 1 Reply Last reply Feb 3, 2024, 4:20 PM Reply Quote 0
          • D
            Digiguy @johnpoz
            last edited by Feb 3, 2024, 4:20 PM

            @johnpoz and @NogBadTheBad , thanks for the reply... will look closer at the ntopng alert. Will add a screenshot and more info if I have trouble investigating.. this is a great help .. when everything works... it works great

            J 1 Reply Last reply Feb 3, 2024, 4:24 PM Reply Quote 0
            • J
              johnpoz LAYER 8 Global Moderator @Digiguy
              last edited by johnpoz Feb 3, 2024, 4:35 PM Feb 3, 2024, 4:24 PM

              @Digiguy here is some info why IDN can be considered an issue

              https://en.wikipedia.org/wiki/IDN_homograph_attack

              edit: any time you "monitor" traffic - be it where its going, what sort of traffic be it protocol or amount.. If you do not understand your normal traffic, anything that alerts you to what it by default finds worthy of reporting.

              Doesn't matter what your using to monitor it could be something as basic as amount.. if you normally use say 1GB a day, and now your using 3GB, it might be worth looking into why..

              If you don't normally see traffic to say port 25, and now you are - yeah prob worth looking into..

              Monitoring is a way to detect different things that are not normal.. It could be hey you use 1GB normally, now your only using 100MB, you know something is different.. Should prob check into why - maybe your backup is not running, or if your seeing stuff like alerts for domains that you normally don't see - why is that? I know one of the alerts that IDS/IPS can trigger on is odd ball .tlds in a domain.. Its not that they are bad or anything, .biz is one I know it will alert on.. While sure there prob lots of bad domains using that, but there are also many legit sites, etc..

              They set up that alert because, in their research hey quite off .biz is bad.. While sure .com has bad stuff too.. The percentage of bad to good is way lower than with biz.. etc..

              So when you see such alerts, you need to determine if the alert is appropriate for your network. Such alerts don't always mean something wrong.. But any monitoring/ids/ips anything that reports anything about your network will have to be adjusted for your own particular network patterns.. So the alerts work for you to report when your network traffic is not "normal" if you will.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

              D 1 Reply Last reply Feb 3, 2024, 4:28 PM Reply Quote 0
              • D
                Digiguy @johnpoz
                last edited by Feb 3, 2024, 4:28 PM

                @johnpoz Thanks i will read to the best of my ability...lol I did look at the Alert and it does seem harmless as you stated. Correct me if I am wrong
                login-to-view

                J N 2 Replies Last reply Feb 3, 2024, 4:38 PM Reply Quote 0
                • J
                  johnpoz LAYER 8 Global Moderator @Digiguy
                  last edited by johnpoz Feb 3, 2024, 4:42 PM Feb 3, 2024, 4:38 PM

                  @Digiguy .mylocal is not a valid tld.. If your using .mylocal in your network.. Then either turn off that alert, or use something else.. The new recommended domain to use locally is home.arpa

                  But from my understanding .internal might be new one that is viable for internal use..

                  port 3000, is a common port used by a few different applications I believe.. I would have to look to stuff I am running, but pretty sure something uses that out of the box.. ;)

                  It is also know to be used by bad stuff.. Its report that sure 3000 is not the standard port for tls - hahaha.. Monitoring tools are quite often pretty stupid.. You have to adjust them for your networks normal use to get any use of them to be honest ;)

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                  D 1 Reply Last reply Feb 3, 2024, 4:43 PM Reply Quote 0
                  • D
                    Digiguy @johnpoz
                    last edited by Digiguy Feb 3, 2024, 4:43 PM Feb 3, 2024, 4:43 PM

                    @johnpoz - Ahhhh! good information! Will start with changing it to home.arpa as per recommendation.

                    As always.. learning with each step along the way. Greatly appreciate the help!

                    J 1 Reply Last reply Feb 3, 2024, 4:48 PM Reply Quote 0
                    • J
                      johnpoz LAYER 8 Global Moderator @Digiguy
                      last edited by johnpoz Feb 3, 2024, 4:50 PM Feb 3, 2024, 4:48 PM

                      @Digiguy I finally finished my migration to home.arpa, I was using local.lan for many years.. Pfsense now defaults to using home.arpa

                      Not really wrong or right here, if your happy with using .mylocal its not particularly "wrong" - but rfc out that recommends for local use, home.arpa is more appropriate to use..

                      Lots of use of .local back in the day before it was ruined by apple using it for their mdns domain ;) You can for sure still use it, but since its really associated now with mdns it can be problematic.

                      I don't think you would run into such issues with using .mylocal - other than things alerting you, hey that tld is odd ;) like your seeing.. i would hope they wouldn't alert on home.arpa since this is the new recommended domain to use locally.

                      https://www.rfc-editor.org/rfc/rfc8375.html
                      Special-Use Domain 'home.arpa.'

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                      Bob.DigB P 2 Replies Last reply Feb 4, 2024, 2:23 PM Reply Quote 0
                      • N
                        NogBadTheBad @Digiguy
                        last edited by Feb 4, 2024, 8:39 AM

                        @Digiguy said in TLS Suspicious Extension:

                        @johnpoz Thanks i will read to the best of my ability...lol I did look at the Alert and it does seem harmless as you stated. Correct me if I am wrong
                        login-to-view

                        IIRC doesn’t ntopng use port 3000, is that alert a false positive 😀

                        Andy

                        1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                        J D 2 Replies Last reply Feb 4, 2024, 1:39 PM Reply Quote 1
                        • J
                          johnpoz LAYER 8 Global Moderator @NogBadTheBad
                          last edited by Feb 4, 2024, 1:39 PM

                          @NogBadTheBad hahahah - yeah that is funny.. your right ntop uses 3000..

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                          1 Reply Last reply Reply Quote 1
                          • Bob.DigB
                            Bob.Dig LAYER 8 @johnpoz
                            last edited by Bob.Dig Feb 4, 2024, 2:24 PM Feb 4, 2024, 2:23 PM

                            @johnpoz said in TLS Suspicious Extension:

                            @Digiguy I finally finished my migration to home.arpa, I was using local.lan for many years.. Pfsense now defaults to using home.arpa

                            Isn't internal the new hotness?

                            The Internet Assigned Numbers Authority (IANA) has made a provisional determination that “.INTERNAL” should be reserved for private-use and internal network applications.

                            https://www.icann.org/en/public-comment/proceeding/proposed-top-level-domain-string-for-private-use-24-01-2024

                            J 1 Reply Last reply Feb 4, 2024, 2:25 PM Reply Quote 0
                            • J
                              johnpoz LAYER 8 Global Moderator @Bob.Dig
                              last edited by johnpoz Feb 4, 2024, 2:28 PM Feb 4, 2024, 2:25 PM

                              @Bob-Dig yeah which I mentioned.. Sure you could prob be the first to jump on .internal if you want to start using it.. But will ntop think that is suspicious?

                              You would hope since home.arpa has been a thing for a while, that it wouldn't be considered suspicious ;)

                              But looks like that is traffic to ntop own web gui, is it? that 172.16.0.1 would be consistent with typical router IP (pfsense) and ntop does default to using port 3000 ;)

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                              1 Reply Last reply Reply Quote 0
                              • D
                                Digiguy @NogBadTheBad
                                last edited by Feb 4, 2024, 6:24 PM

                                @NogBadTheBad and @johnpoz , I had to laugh when I opened ntopng and noticed port in browser.. you right... will keep on trucking! I hate just setting and forgetting so I may ask some dumb questions but because you guys are so responsive unlike several other forums I have asked question's in I end up learning something each time! Greatly appreciate it!

                                J 1 Reply Last reply Feb 4, 2024, 6:41 PM Reply Quote 0
                                • J
                                  johnpoz LAYER 8 Global Moderator @Digiguy
                                  last edited by Feb 4, 2024, 6:41 PM

                                  @Digiguy yeah that ntop reports traffic to itself as suspicious is freaking hilarious ;)

                                  But that just goes to show my point about having to know your own networks traffic to know if something is legit or not or warrants a "alert/warning"

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                                  1 Reply Last reply Reply Quote 0
                                  • P
                                    pulsartiger @johnpoz
                                    last edited by Sep 28, 2024, 2:44 AM

                                    @johnpoz

                                    I see comment about changing the local domain name to home.arpa. I setup my pfsense router about a year ago and used something not in the recommended list. I just setup ntopng and I am getting a lot of alerts, maybe its related to my local domain name. I was curious, if I change this domain name in System -> General Setup -> Domain, is there anywhere else that I need to update this name? Could changing this name cause any issues with packages or rules that I have setup?

                                    J 1 Reply Last reply Sep 28, 2024, 4:22 AM Reply Quote 0
                                    • J
                                      johnpoz LAYER 8 Global Moderator @pulsartiger
                                      last edited by Sep 28, 2024, 4:22 AM

                                      @pulsartiger shouldn't I changed mine from local.lan to home.arpa. Only other places I recall changing it was in host overrides I had setup for stuff on my network, and certs that I had created.

                                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                                      If you get confused: Listen to the Music Play
                                      Please don't Chat/PM me for help, unless mod related
                                      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                                      1 Reply Last reply Reply Quote 0
                                      • First post
                                        Last post
                                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.