TLS Suspicious Extension
-
I am getting loads of these Alerts. Are they dangerous? if not dangerous can I stop them from happening? If they are dangerous how do I get to the root of the problem? Not sure how to do either. I do see what computer they are coming. Any advice would be appreciated.
-
@Digiguy what are you seeing exactly, and where?
Is this some IPS/IDS alert? If so can move this thread to that section.. Could you post a screenshot of what your seeing exactly.
-
Think it’s a ntopng warning:-
TLS Suspicious Extension
Checks for suspicious tls esni usage.
The alert notifies when the domain name (SNI extension) is not printable and thus it is a problem.
Category:Cybersecurity
-
@NogBadTheBad ah, ok in the right section.
That alert would depend on where your going.. IDN (internationalized domain name) might be normal for the domains your using..
I would look to what domain your actually going to, if that is normal traffic for your network - then silence the alert if you don't want to see it.. If its not normal, then yeah you got something going on you should look into.
The problem with IDNs - is it is possible to spoof what likes like domain X say in your browser, but is really domain Y.. So yeah probably prudent to check it the alerts out to make sure your devices/clients are going to where they should be going.
-
@johnpoz and @NogBadTheBad , thanks for the reply... will look closer at the ntopng alert. Will add a screenshot and more info if I have trouble investigating.. this is a great help .. when everything works... it works great
-
@Digiguy here is some info why IDN can be considered an issue
https://en.wikipedia.org/wiki/IDN_homograph_attack
edit: any time you "monitor" traffic - be it where its going, what sort of traffic be it protocol or amount.. If you do not understand your normal traffic, anything that alerts you to what it by default finds worthy of reporting.
Doesn't matter what your using to monitor it could be something as basic as amount.. if you normally use say 1GB a day, and now your using 3GB, it might be worth looking into why..
If you don't normally see traffic to say port 25, and now you are - yeah prob worth looking into..
Monitoring is a way to detect different things that are not normal.. It could be hey you use 1GB normally, now your only using 100MB, you know something is different.. Should prob check into why - maybe your backup is not running, or if your seeing stuff like alerts for domains that you normally don't see - why is that? I know one of the alerts that IDS/IPS can trigger on is odd ball .tlds in a domain.. Its not that they are bad or anything, .biz is one I know it will alert on.. While sure there prob lots of bad domains using that, but there are also many legit sites, etc..
They set up that alert because, in their research hey quite off .biz is bad.. While sure .com has bad stuff too.. The percentage of bad to good is way lower than with biz.. etc..
So when you see such alerts, you need to determine if the alert is appropriate for your network. Such alerts don't always mean something wrong.. But any monitoring/ids/ips anything that reports anything about your network will have to be adjusted for your own particular network patterns.. So the alerts work for you to report when your network traffic is not "normal" if you will.
-
@johnpoz Thanks i will read to the best of my ability...lol I did look at the Alert and it does seem harmless as you stated. Correct me if I am wrong
-
@Digiguy .mylocal is not a valid tld.. If your using .mylocal in your network.. Then either turn off that alert, or use something else.. The new recommended domain to use locally is home.arpa
But from my understanding .internal might be new one that is viable for internal use..
port 3000, is a common port used by a few different applications I believe.. I would have to look to stuff I am running, but pretty sure something uses that out of the box.. ;)
It is also know to be used by bad stuff.. Its report that sure 3000 is not the standard port for tls - hahaha.. Monitoring tools are quite often pretty stupid.. You have to adjust them for your networks normal use to get any use of them to be honest ;)
-
@johnpoz - Ahhhh! good information! Will start with changing it to home.arpa as per recommendation.
As always.. learning with each step along the way. Greatly appreciate the help!
-
@Digiguy I finally finished my migration to home.arpa, I was using local.lan for many years.. Pfsense now defaults to using home.arpa
Not really wrong or right here, if your happy with using .mylocal its not particularly "wrong" - but rfc out that recommends for local use, home.arpa is more appropriate to use..
Lots of use of .local back in the day before it was ruined by apple using it for their mdns domain ;) You can for sure still use it, but since its really associated now with mdns it can be problematic.
I don't think you would run into such issues with using .mylocal - other than things alerting you, hey that tld is odd ;) like your seeing.. i would hope they wouldn't alert on home.arpa since this is the new recommended domain to use locally.
https://www.rfc-editor.org/rfc/rfc8375.html
Special-Use Domain 'home.arpa.'An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
@Digiguy said in TLS Suspicious Extension:
@johnpoz Thanks i will read to the best of my ability...lol I did look at the Alert and it does seem harmless as you stated. Correct me if I am wrong
IIRC doesn’t ntopng use port 3000, is that alert a false positive
Andy
1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22
-
@NogBadTheBad hahahah - yeah that is funny.. your right ntop uses 3000..
-
@johnpoz said in TLS Suspicious Extension:
@Digiguy I finally finished my migration to home.arpa, I was using local.lan for many years.. Pfsense now defaults to using home.arpa
Isn't internal the new hotness?
The Internet Assigned Numbers Authority (IANA) has made a provisional determination that “.INTERNAL” should be reserved for private-use and internal network applications.
-
@Bob-Dig yeah which I mentioned.. Sure you could prob be the first to jump on .internal if you want to start using it.. But will ntop think that is suspicious?
You would hope since home.arpa has been a thing for a while, that it wouldn't be considered suspicious ;)
But looks like that is traffic to ntop own web gui, is it? that 172.16.0.1 would be consistent with typical router IP (pfsense) and ntop does default to using port 3000 ;)
-
@NogBadTheBad and @johnpoz , I had to laugh when I opened ntopng and noticed port in browser.. you right... will keep on trucking! I hate just setting and forgetting so I may ask some dumb questions but because you guys are so responsive unlike several other forums I have asked question's in I end up learning something each time! Greatly appreciate it!
-
@Digiguy yeah that ntop reports traffic to itself as suspicious is freaking hilarious ;)
But that just goes to show my point about having to know your own networks traffic to know if something is legit or not or warrants a "alert/warning"
-
I see comment about changing the local domain name to home.arpa. I setup my pfsense router about a year ago and used something not in the recommended list. I just setup ntopng and I am getting a lot of alerts, maybe its related to my local domain name. I was curious, if I change this domain name in System -> General Setup -> Domain, is there anywhere else that I need to update this name? Could changing this name cause any issues with packages or rules that I have setup?
-
@pulsartiger shouldn't I changed mine from local.lan to home.arpa. Only other places I recall changing it was in host overrides I had setup for stuff on my network, and certs that I had created.
