TLS Suspicious Extension
-
@Digiguy .mylocal is not a valid tld.. If your using .mylocal in your network.. Then either turn off that alert, or use something else.. The new recommended domain to use locally is home.arpa
But from my understanding .internal might be new one that is viable for internal use..
port 3000, is a common port used by a few different applications I believe.. I would have to look to stuff I am running, but pretty sure something uses that out of the box.. ;)
It is also know to be used by bad stuff.. Its report that sure 3000 is not the standard port for tls - hahaha.. Monitoring tools are quite often pretty stupid.. You have to adjust them for your networks normal use to get any use of them to be honest ;)
-
@johnpoz - Ahhhh! good information! Will start with changing it to home.arpa as per recommendation.
As always.. learning with each step along the way. Greatly appreciate the help!
-
@Digiguy I finally finished my migration to home.arpa, I was using local.lan for many years.. Pfsense now defaults to using home.arpa
Not really wrong or right here, if your happy with using .mylocal its not particularly "wrong" - but rfc out that recommends for local use, home.arpa is more appropriate to use..
Lots of use of .local back in the day before it was ruined by apple using it for their mdns domain ;) You can for sure still use it, but since its really associated now with mdns it can be problematic.
I don't think you would run into such issues with using .mylocal - other than things alerting you, hey that tld is odd ;) like your seeing.. i would hope they wouldn't alert on home.arpa since this is the new recommended domain to use locally.
https://www.rfc-editor.org/rfc/rfc8375.html
Special-Use Domain 'home.arpa.'An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.7.2, 24.11 -
@Digiguy said in TLS Suspicious Extension:
@johnpoz Thanks i will read to the best of my ability...lol I did look at the Alert and it does seem harmless as you stated. Correct me if I am wrong
IIRC doesn’t ntopng use port 3000, is that alert a false positive
Andy
1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22
-
@NogBadTheBad hahahah - yeah that is funny.. your right ntop uses 3000..
-
@johnpoz said in TLS Suspicious Extension:
@Digiguy I finally finished my migration to home.arpa, I was using local.lan for many years.. Pfsense now defaults to using home.arpa
Isn't internal the new hotness?
The Internet Assigned Numbers Authority (IANA) has made a provisional determination that “.INTERNAL” should be reserved for private-use and internal network applications.
-
@Bob-Dig yeah which I mentioned.. Sure you could prob be the first to jump on .internal if you want to start using it.. But will ntop think that is suspicious?
You would hope since home.arpa has been a thing for a while, that it wouldn't be considered suspicious ;)
But looks like that is traffic to ntop own web gui, is it? that 172.16.0.1 would be consistent with typical router IP (pfsense) and ntop does default to using port 3000 ;)
-
@NogBadTheBad and @johnpoz , I had to laugh when I opened ntopng and noticed port in browser.. you right... will keep on trucking! I hate just setting and forgetting so I may ask some dumb questions but because you guys are so responsive unlike several other forums I have asked question's in I end up learning something each time! Greatly appreciate it!
-
@Digiguy yeah that ntop reports traffic to itself as suspicious is freaking hilarious ;)
But that just goes to show my point about having to know your own networks traffic to know if something is legit or not or warrants a "alert/warning"
-
I see comment about changing the local domain name to home.arpa. I setup my pfsense router about a year ago and used something not in the recommended list. I just setup ntopng and I am getting a lot of alerts, maybe its related to my local domain name. I was curious, if I change this domain name in System -> General Setup -> Domain, is there anywhere else that I need to update this name? Could changing this name cause any issues with packages or rules that I have setup?
-
@pulsartiger shouldn't I changed mine from local.lan to home.arpa. Only other places I recall changing it was in host overrides I had setup for stuff on my network, and certs that I had created.
