False positive on google.com.onion AP check

lukashino · November 27, 2025, 7:23pm

Hey,

I’d like to reach out to consult (a quite likely possible) FP of a SID EveBox Rules

This SID fires every time phones connect to the network - apparently, due to Samsung’s “Detect suspicious networks” feature, which sends a bunch of fishy DNS requests when connecting to a new AP. But Samsung might not be the only vendor doing it.

In this case, the offensive DNS request is google.com.onion

The most helpful source:

Attaching captured pcap too.

3@251127-YgBNkp0ZOrdNC7rybRZCBozi.pcap (116 Bytes)

I am not familiar with rule evaluation too much, so I guess, do as you wish

rgonzalez · December 1, 2025, 3:40pm

Thanks @lukashino ! We classify this as an INFO/POLICY rule at informational severity. I’m hesitant to add-in a UA string or specific domain safelist to this signature since it’s working as designed in this case. Can you do a local tune if the events are interfering with your workflows?

lukashino · December 2, 2025, 3:42pm

Hey, thanks for the reply.

Yeah, I will locally adjust to my environment.

Topic	Replies	Views
Ruleset Update Summary - 2023/06/21 - v10355 Ruleset Updates	208	June 21, 2023
Ruleset Update Summary - 2023/01/25 - v10229 Ruleset Updates	422	January 25, 2023
Ruleset Update Summary - 2024/02/29 - v10543 Ruleset Updates	376	February 29, 2024
Ruleset Update Summary - 2024/06/13 - v10617 Ruleset Updates	141	June 13, 2024
Ruleset Update Summary - 2023/06/12 - v10346 Ruleset Updates	1145	June 12, 2023

False positive on google.com.onion AP check

Related topics