I’ve heard this code detects false positives all the time. Could this be a ddos attempt? I’ve detected some degraded network performance since this began. However, my modem is dying. I keep getting spammed by this IP: 65.108.3.114. That IP is listed in a malware database as well.
I did scan my system with ClamAV, and still have to parse through the results. So, far everything I’ve checked in VirusTotal has been a false positive.
One of my machines does use TOR. Is this something producing enough false positives that it’s worth silencing this notification?
This rule is pretty basic so we can break down what it is trying to detect.
alert http $EXTERNAL_NET any -> $HOME_NET any - This states any external IP address that makes an HTTP request to your Home Network. By default this is defined as any IP that falls into 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12. $EXTERNAL_NET will be anything outside of those ranges.
flow:established,to_client; - This says a tcp connection has been established from the server.
content:"0a0a0a0a"; nocase; - This is the meat and potatoes of the rule which is looking for the string 0a0a0a0a (case insensitive) anywhere in the HTTP connection. This is very generic and the rule has a low confidence. That being said, this string is commonly used by attackers who are attempting to exploit a heap overflow which can crash programs and execute malicious code.
This could mean a lot of things but without a pcap or further investigation there isn’t any way we can say with certainty what this traffic is attempting to do. It could be a DDOS attempt or a compromised host that is spamming that traffic all over the internet.
My recommendation would be to blacklist the ip 65.108.3.114 and that should reduce the strain on your modem and hopefully resolve the issue. One benefit of this is that you can keep the rule enabled and continue to have visibility into traffic like this destined towards your network. I will add a threshold to this rule in today’s release that should limit the number of alerts you’re seeing on your end.
Please let me know if you have further questions and I’m happy to help!
I personally haven’t used OPNSense much but this is how I would do it based on my lab setup which is running version 25.1 (I’m not sure if it looks different than this on older versions but I assume it should be about the same).
Navigate to Firewall -> Rules -> WAN
Click the Orange + Button
Set Action: Block
Set Source: Single host or Network
Set Category: Whatever you want to call it
Set Description: Block 65.108.3.114 Due to Inbound Shellcode (or whatever you want)
Here is a screenshot of the configuration I would use. It may also be helpful to skim through these cheat sheets to get a better idea as to what these settings mean. Here are just a few I’ve found but there are almost certainly more out there.
I fixed an issue with a clamav getting blocked from updating because it was trying to go out over my VPN. Wonder if that was what was causing me to get spammed.
