talosintelligence.com domain requests
-
I ended up resolving this issue by completely deleting the feed that was pointing to this domain, disabling the feed did not help, this is what has caused me so much time as I figured disabling the feed wouldn't query the domain but I guess the cron job still goes through and checks for an update even though it doesn't apply it.
Anyways deleting this list from my ipv4 pri1 lists kept the domain from querying over and over again and now my dns reply report is nice a clean again.
-
@bigjohns97 said in talosintelligence.com domain requests:
deleting this list from my ipv4 pri1
What list specifically - a fqdn is not a list to be downloaded what was the full url?
-
@johnpoz It was the Talos feed
https://www.talosintelligence.com/feeds/ip-filter.blf
I had also found some threads that were pointing to updating that URL to another one that worked better.
https://www.reddit.com/r/pfBlockerNG/comments/ibllbk/talos_ip_list_url/
And BTW I thought I had this fixed by running an out of band CRON as a test but looking at it again this morning I see this in my DNS replies again and don't even have the list defined, so obviously more work to do.
-
that url redirects to here
https://snort-org-site.s3.amazonaws.com/production/document_files/files/000/001/238/original/ip_filter.blf?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIXACIED2SPMSC7GA%2F20200930%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20200930T125635Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=ee8d075152fa77b1fbdec3f88502b35c40c9ca02472fb513251307db4dc2c382
I would guess has something to do with how they are doing the redirection?
first it redirects to here
https://snort.org/downloads/ip-block-listand then from there it redirects to that long url posted above... Looks to be a big mess if you ask me.. So yeah sure could see why some automated system could run into issues or a loop. Especially if using something like curl that might not be able to follow redirection.. Depending on how its done, etc.
-
@johnpoz Yeah I just don't get it, I deleted this feed yesterday and ran CRON and no hits in the reply list, and then I check again this morning and it's back, I don't know where it's defined at this point.
I am going to re-add it from the list again and reboot and see if it comes back
reboot is the only thing I know to make the queries stop once they start...
killing my uptime stats :)
Re-adding it under the original URL in the published feeds list doesn't solve the issue either.
I am at a loss of next steps :(
-
Added it and then removed it again and rebooted and something else is calling this domain and it's not through a feed, so I guess I am back where I started.
If anyone has any idea where this is coming from I am willing to disable something to test.
-
I don't know what it was but I ended up blowing everything away and starting over, now running with ESXi underneath and 2.4.5p1 and this issue is no longer happening.
-
Are you seeing "any" of those A queries for what looks to be IP addresses?
-
@johnpoz No I wasn't these were only DNS queries in the DNS reply tab under reports.
-
Oh my bad - I might of confused this thread with a different one, where there was A queries for stuff like 080.010.149.001, etc..
Sorry.. Forget I asked that question ;) hehehe
-
Just wanted to provide an update to this thread as someone helped me find the issue that was causing this.
NtopNG has threat feeds in it now and when it can't get to one of the feeds it just keeps trying and trying.
To disable you have to go into the admin interface go to settings and category lists and then disable the offending list giving you an issue. I went ahead and disabled all of them since this was such a problem to find as well as these lists seem to go up and down and I don't want it to just keep trying (outside of its setting to only pull them down daily).
