[Graylog 2.2.3] Request to torproject

(kaiser) #1


Since I installed the last update, every 5 minutes I am seeing requests to torproject on my ubuntu server

where I am running graylog server.

My IDS is raising the following alert:

ET POLICY check.torproject.org IP lookup/Tor Usage

When I stop graylog-server there are no more requests and alerts.

I have downloaded the pcap file from the above alert and there is some information about certificat:

This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/0

I am using graylog with TLS enabled

==> Do graylog uses letsencrypt? Do graylog makes requests to specific servers?



(Jochen) #2

No, unless you’re fetching certificates yourself and configure Graylog to use them.

No, unless you configure it to, for example with the Threat Intelligence plugin.

(kaiser) #3

Thank you Jochen for your reply.

Why do threat intelligence plugin would make request to specific servers and for instance torproject?


(Jan Doberstein) #4


please re-read what data feeds are used in the thread intel plugin.