[pfB_PRI1_v4] Too many alerts out for "196.55.215.129", 443, 5222
-
@gertjan, can I intercept this behavior with a snort rule? If yes, what rule do you mean to activate?
Just an idea.
-
@rimaju
Can you show the issue ?
Isn't there a LAN (local !) IP listed ? -
@gertjan Not yet.
My wifi is a mikrotik on NAT. I see only the mikrotik ip on pfsense. -
@rimaju said in [pfB_PRI1_v4] Too many alerts out for "196.55.215.129", 443, 5222:
@gertjan Not yet.
My wifi is a mikrotik on NAT. I see only the mikrotik ip on pfsense.Your AP is doing NAT ? Is it a router ?
Don't do that .... just have it doing AP. Shut down the rest (at first). -
I noticed a ton (30K+ attempts in a few hours) of block alerts to the same address. This is from a phone I recently rooted and installed lineageos. With very few apps installed, I was able to whittle it down to Telegram, the FOSS version in fact.
I've uninstalled Telegram and the phone is no longer attempting to connect to 196.55.215.129.
Spamhaus has the 196.52.0.0/14 CIDR block listed here... https://www.spamhaus.org/sbl/query/SBL510704
My laptop, with Telegram installed, is also attempting to reach addresses in that CIDR block.
-
@okijames said in [pfB_PRI1_v4] Too many alerts out for "196.55.215.129", 443, 5222:
phone I recently rooted
Ah, nice. A typical school-example of what happens when rooted.
You have to answer the question : do you trust the root kit ?
Telegram accessing https ports ? Euh .......... right, it does : https://core.telegram.org/mtproto/transports
So it could be so that 196.55.215.129 is a front end CDN for telegram - and it's refusing your telegram phone app requests now. Better to check why if possible - maybe your root kit isn't that innocent. -
@gertjan I never fully trust anything :)
The phone was well behaved before installing Telegram, and is back to being quiet now that Telegram has been removed. Though now I'm doing packet captures of its traffic, where I was only looking at flow and firewall logs before.
Stopping Telegram on my laptop has the same affect. No more connection attempts to the that address.
I should note that Telegram functioned normally, it doesn't appear these specific connections are required for normal operation.
-
I have the same problem, the smartphone does not have any type of root , the connections are many... , for now I leave it blocked, there is no disservice at the moment
-
Another burst (47K so far) of attempts today, from both my rooted and unrooted phones. It appears to be the FOSS version of Telegram for Android is the culprit.
On my Mac the full desktop Telegram client is less aggressive, in the 100's of attempts per day. The Lite version does not exhibit this behavior.
-
@n3xus_x3 I opened an issue on github. Please chime in... https://github.com/Telegram-FOSS-Team/Telegram-FOSS/issues/490
-
It is not only the Foss version but official Android Telegram app does the same. I have 11888 hits on the IP 196.55.215.129 in last 24 hours. Anyway the Telegram itself works OK. It is "just" annoying...
