So why is Netflix hitting me with Dradis?

ssullivan556

You can see The Googz faciliating this request, triggering severity 1 (3:19187) (later, several 2 for 1:649 and 1:650 from other 1e100 ip and then later some thru Amazon) on Snort. Is it normal for 'them" to be elevating themselves and putting shellcode to my Google "smart" TV (even when it was off for some of these severity 2) and also 1:650 on my Pixel phone?

.034 is the TV, .033 is the phone. I initiated no updates, recently did a factory reset on the TV (kept up with updates too) and the Pixel is up to date. I have some more pcap, but the rest just look like gobbebty goop encrypted or machine code stuff (noob here).

johnpoz

@ssullivan556 said in So why is Netflix hitting me with Dradis?:

(noob here).

Known false positives, with the described conditions

Fairly high. Large binary transfers, certain web traffic, and even mail traffic can trigger this rule, but are not necessarily indicative of actual setgid code.

Your client did a dns query, who your client asked answered - you got a false positive.. Very common, which is why as you call yourself a noob should not be running stuff like snort ;)

ssullivan556

@johnpoz Why y'all put it a 1?

My connectivity has not been impacted, why unblock it?

ssullivan556

also note, my DNS is NOT google,

johnpoz

@ssullivan556 said in So why is Netflix hitting me with Dradis?:

DNS is NOT google

And apps and devices like "tvs" love to use their own dns..

Quite possible that was a dns query to check for an update or something, or telemetry - so no it wouldn't "break" your internet or anything. Or stop netflix from working.

I block lots of dns queries - stuff still works.

Why do they rate something at a 1? Is that what your asking - well if it wasn't a false positive, then yeah it would be bad ;)

Snort or any sort of ids/ips is going to have lots and lots of false positives - which is why users shouldn't be using it unless they understand that, and how to deal with it, and how to address them, etc.

Was it actually blocked? Snort normally would default to monitor only mode.

edit: here as example - did a quick sniff on the segment my rokus and tvs are on..

I sure don't have them set to google, If you look at their network settings in their gui, they don't list google as dns, etc.. But as you can see - they are asking google.

You could block that if you want, but when they can't talk they tend to get more chatty about it - asking more and more often, etc..

But just because they talked to google, and your ips/ids flagged something as possible bad - doesn't mean it is..

ssullivan556

@johnpoz said in So why is Netflix hitting me with Dradis?:

Why do they rate something at a 1? Is that what your asking - well if it wasn't a false positive, then yeah it would be bad ;)

But just because they talked to google, and your ips/ids flagged something as possible bad - doesn't mean it is..

I am aware 8.8.8.8 is a DNS and that there are many false positives in general. If this is one, why does it appear to call a Dradis server in the pcap? Why is this unsolicited traffic (even when the TV is off) hitting my home network with a penetration testing tool?

Yes, I have the blocking box checked, it is an IPS. I cannot think of any legitimate reason to find Dradis inside my network. This is exactly why I have IPS.

tinfoilmatt

@ssullivan556 said in So why is Netflix hitting me with Dradis?:

I cannot think of any legitimate reason to find Dradis inside my network.

Sure you can. Corporations have development and security teams that are paid to investigate unexpected client-side behaviors.

ssullivan556

@tinfoilmatt

They'll seriously hit some random TV with a penetration test rather than just doing it in their own sandbox? When do I get the report lol? I had no unexpected behavior, have not opened Netflix since the factory reset. I have not even agreed to their privacy policy.

Is there any transparency (i.e. I could contact Netflix and try to get confirmation this was a sanctioned action)?

tinfoilmatt

@ssullivan556 Everything you're observing is likely automated.

ssullivan556

@tinfoilmatt

It feels like a violation that they think they can just use my devices, my bandwidth for penetration testing whenever they want (and since it is automated, that would be "all the time").

They have the source code for their software and if they are worried about other software on the TV, well they can talk to those vendors or buy their own TV (forget the phone, that is even more concerning)!

I still do not see a legitimate reason for any penetration tester to be in MY network on MY devices without MY consent. Is this actually legal? Recall I did not agree to Netflix's privacy policy.

tinfoilmatt

@ssullivan556 Two options:

1.) Don't put untrusted devices on the LAN; or
2.) If you must put untrusted devices on the LAN, segment the LAN accordingly.

I otherwise empathize with your frustration regarding the zeitgeist completey.

ssullivan556

@tinfoilmatt Some good news is that these seemed to stop after a few days of blocking. Not sure how long it had been going on, Snort was down for a little while and this was literally the first alert/block when I got it going again.

Thanks all for the discussion. I am not treating this as a false-positive.