What does the message mean?

Hello,

can someone help me interpret this correctly?
I always get these messages from a user

“ET HUNTING Suspicious TLS SNI Request for Possible COVID-19 Domain M2
Priorität: 2 Typ: Potentially Bad Traffic”

in the protocol of the ISP. How do I find out what causes this message

I googled it and i found this page.

1 Like

ok, i can’t find out now which page the client called to cause this?

Hi,

ET HUNTING Suspicious TLS SNI Request for Possible COVID-19 Domain M2

for the records, this IPS’ rule ID is 2029708, and its raw content can be accessed here.

It seems to trigger in case the SNI field of a TLS connection contains “corona” and is not related to those FQDNs, which seem to be legitimate sites containing COVID-19 information:

  • *.jhu.edu
  • *.ncsc.gov.ie
  • *.nhs.wales
  • *.govt.nz
  • *.nhp.gov.in
  • *.oracle.com (interesting to see)
  • *.cdc.gov

In case your user does not use IPFire’s web proxy (and you turned on logging requests), you probably need to sniff for DNS lookups (IPFire does not log DNS requests for privacy reasons) or TLS traffic containing this pattern by yourself.

If those IPS alerts appear at distinct times, you could also check which clients were active at that time, and in case it was only one, it’s user probably caused that alert.

Thanks, and best regards,
Peter Müller

Thanks for Info