[Graylog 2.2.3] Request to torproject


(kaiser) #1

Hi,

Since I installed the last update, every 5 minutes I am seeing requests to torproject on my ubuntu server

where I am running graylog server.

My IDS is raising the following alert:

ET POLICY check.torproject.org IP lookup/Tor Usage

When I stop graylog-server there are no more requests and alerts.

I have downloaded the pcap file from the above alert and there is some information about certificat:

This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/0

I am using graylog with TLS enabled

==> Do graylog uses letsencrypt? Do graylog makes requests to specific servers?

Regards,

Xavier


(Jochen) #2

No, unless you’re fetching certificates yourself and configure Graylog to use them.

No, unless you configure it to, for example with the Threat Intelligence plugin.


(kaiser) #3

Thank you Jochen for your reply.

Why do threat intelligence plugin would make request to specific servers and for instance torproject?

Xavier


(Jan Doberstein) #4

@cs.xdumas

please re-read what data feeds are used in the thread intel plugin.