02-15-2021, 08:16 PM
I played in the last few days with suricata ids/ips and today i come across something terrible if this thing happens on any LinuxLite and not only on my end. Updating from the menu icon "install updates" seems to trigger an alert from suricata rule 2013028 emerging threats. At first i thought is a false positive but then i saw each and every time i click that update icon from the menu it triggers that alert and it send some outbound connection toward google domain ip 142.250.178 and 216.x.x.x For example the alert looks like this: "[1:2013028:5] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.x.x:36200 -> 142.250.178.14:80" .To check further the problem i blocked with UFW outbound connections toward those ip ranges coresponding to google domains for port 80. The result was that when i clicked again on "install updates" i get the message your pc is not connected to the internet. Tried several times to be sure and same result. Tried to update via terminal and everything seems to work ok via terminal. I disabled firewall and clicked again now it works again of course triggering again that alert. Now the question is, is it ok to let google know when i make or not make updates? For me this is a huge privacy issue and hope that this happens only on my end so the question you guys have the same outcome when blocking google port 80? I use youtube a lot this days so my id can be easily asociated with my update schedule. Thank you in advance and hope i did not bored to death anyone with this oneĀ :