[Graylog 2.2.3] Request to torproject


Since I installed the last update, every 5 minutes I am seeing requests to torproject on my ubuntu server

where I am running graylog server.

My IDS is raising the following alert:

ET POLICY check.torproject.org IP lookup/Tor Usage

When I stop graylog-server there are no more requests and alerts.

I have downloaded the pcap file from the above alert and there is some information about certificat:

This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/0

I am using graylog with TLS enabled

==> Do graylog uses letsencrypt? Do graylog makes requests to specific servers?



No, unless you’re fetching certificates yourself and configure Graylog to use them.

No, unless you configure it to, for example with the Threat Intelligence plugin.

Thank you Jochen for your reply.

Why do threat intelligence plugin would make request to specific servers and for instance torproject?



please re-read what data feeds are used in the thread intel plugin.