So why is Netflix hitting me with Dradis?
-
You can see The Googz faciliating this request, triggering severity 1 (3:19187) (later, several 2 for 1:649 and 1:650 from other 1e100 ip and then later some thru Amazon) on Snort. Is it normal for 'them" to be elevating themselves and putting shellcode to my Google "smart" TV (even when it was off for some of these severity 2) and also 1:650 on my Pixel phone?
.034 is the TV, .033 is the phone. I initiated no updates, recently did a factory reset on the TV (kept up with updates too) and the Pixel is up to date. I have some more pcap, but the rest just look like gobbebty goop encrypted or machine code stuff (noob here).
-
@ssullivan556 said in So why is Netflix hitting me with Dradis?:
(noob here).
Known false positives, with the described conditions
Fairly high. Large binary transfers, certain web traffic, and even mail traffic can trigger this rule, but are not necessarily indicative of actual setgid code.
Your client did a dns query, who your client asked answered - you got a false positive.. Very common, which is why as you call yourself a noob should not be running stuff like snort ;)
-
@johnpoz Why y'all put it a 1?
My connectivity has not been impacted, why unblock it?
-
also note, my DNS is NOT google,
-
@ssullivan556 said in So why is Netflix hitting me with Dradis?:
DNS is NOT google
And apps and devices like "tvs" love to use their own dns..
Quite possible that was a dns query to check for an update or something, or telemetry - so no it wouldn't "break" your internet or anything. Or stop netflix from working.
I block lots of dns queries - stuff still works.
Why do they rate something at a 1? Is that what your asking - well if it wasn't a false positive, then yeah it would be bad ;)
Snort or any sort of ids/ips is going to have lots and lots of false positives - which is why users shouldn't be using it unless they understand that, and how to deal with it, and how to address them, etc.
Was it actually blocked? Snort normally would default to monitor only mode.
edit: here as example - did a quick sniff on the segment my rokus and tvs are on..
I sure don't have them set to google, If you look at their network settings in their gui, they don't list google as dns, etc.. But as you can see - they are asking google.
You could block that if you want, but when they can't talk they tend to get more chatty about it - asking more and more often, etc..
But just because they talked to google, and your ips/ids flagged something as possible bad - doesn't mean it is..
-
@johnpoz said in So why is Netflix hitting me with Dradis?:
Why do they rate something at a 1? Is that what your asking - well if it wasn't a false positive, then yeah it would be bad ;)
But just because they talked to google, and your ips/ids flagged something as possible bad - doesn't mean it is..
I am aware 8.8.8.8 is a DNS and that there are many false positives in general. If this is one, why does it appear to call a Dradis server in the pcap? Why is this unsolicited traffic (even when the TV is off) hitting my home network with a penetration testing tool?
Yes, I have the blocking box checked, it is an IPS. I cannot think of any legitimate reason to find Dradis inside my network. This is exactly why I have IPS.
-
@ssullivan556 said in So why is Netflix hitting me with Dradis?:
I cannot think of any legitimate reason to find Dradis inside my network.
Sure you can. Corporations have development and security teams that are paid to investigate unexpected client-side behaviors.
-
They'll seriously hit some random TV with a penetration test rather than just doing it in their own sandbox? When do I get the report lol? I had no unexpected behavior, have not opened Netflix since the factory reset. I have not even agreed to their privacy policy.
Is there any transparency (i.e. I could contact Netflix and try to get confirmation this was a sanctioned action)?
-
@ssullivan556 Everything you're observing is likely automated.
-
It feels like a violation that they think they can just use my devices, my bandwidth for penetration testing whenever they want (and since it is automated, that would be "all the time").
They have the source code for their software and if they are worried about other software on the TV, well they can talk to those vendors or buy their own TV (forget the phone, that is even more concerning)!
I still do not see a legitimate reason for any penetration tester to be in MY network on MY devices without MY consent. Is this actually legal? Recall I did not agree to Netflix's privacy policy.
-
@ssullivan556 Two options:
1.) Don't put untrusted devices on the LAN; or
2.) If you must put untrusted devices on the LAN, segment the LAN accordingly.I otherwise empathize with your frustration regarding the zeitgeist completey.
-
@tinfoilmatt Some good news is that these seemed to stop after a few days of blocking. Not sure how long it had been going on, Snort was down for a little while and this was literally the first alert/block when I got it going again.
Thanks all for the discussion. I am not treating this as a false-positive.
-
Do you think my devices where actually on when I did those sniffs? They were off - or like most such devices these days standby, power save - not actually "off"
most TV's never actually turn off - they go into a standby mode so that when you turn them on again it doesn't take 2 minutes to boot up.
Same goes for streamer type boxes like Roku, etc.
If you want them fully off - you would need to set that in the device - or actually remove power from them.
I would bet a very large some of money - all your seeing is typical DNS they do - possible checking for app updates or their own updates, etc. Which they also do - on a Roku you can see when it last checked for updates, more times than not its going to be when its not actively being used.
Your tinfoil hat is on a bit tight if you ask me - your snort is triggering on well known false positive rules, you have something as benign as a device talking to well known default hard coded name servers.
And you're making it to to be a global conspiracy.
If they were doing some nefarious do you not think it would be all over the place? I mean its not like you are the first person to ever turn on snort ;) And watch what traffic goes out of their network from such iot devices, etc.
You are for sure are not the first person to come screaming the sky is falling the first time they see something they do not understand and first thing they jump to is oh my gawd - they are doing something bad. While I am not a fan of hard coded DNS, or worse yet dot or doh being used without consent and acknowledgement from the user of said device.. But to think they are trying to sneak something through in a simple DNS query. And if they were - it would be caught by people way smarter than us and they would be screaming about it that is for sure.
-
@johnpoz You're responding to an LLM.
-
@tinfoilmatt you think? Well my post is still valid comment, for someone finding this thread I guess ;)
These sorts of posts do blow my skirt up so to speak.. Some one looks at a snort alert or even a firewall hit and they think they are under some sort of attack, or they found some secret nonsense companies are doing..
When 9999 out of 10k its noise or false positive ;)
-
@johnpoz Don't be naïve, John. Maybe it'd help to think of it more like people trying to actually understand the technology they use.
You're welcome for the report.
-
@tinfoilmatt and I was trying to help - pointing out that its not them using dradis against them - and just his iot using hard coded DNS.
Every little thing you see in a log doesn't mean your under attack, or compromised or something being bad - sometime, most of the time with ips/ids its going to be noise.. If you want to use it properly there is a huge learning curve - its not just push a button.
Most users have zero use for IPS/ids in their home - and without understanding how it works your just going to think the sky is falling.
-
@johnpoz said in So why is Netflix hitting me with Dradis?:
and just his iot using hard coded DNS
Which you have no idea the purpose of. You're equally speculating.
-
Also if it was a company as big as Netflix doing something - why would they not just hide the traffic in their normal traffic vs doing a DNS query in the clear?
This isn't speculation - its experience and common sense
-
@johnpoz You'd have to ask Netflix.
