Page 1 of 2 12 LastLast
Results 1 to 10 of 11
  1. #1
    Newbie
    Join Date
    Oct 2018
    Posts
    10

    Default Amazonaws Continues to be flagged

    Fairly new to Untangle, so thanks in advance for the help!

    I've been getting a lot of phishing alerts related to sites in the amazonaws.com domain. This extends to thinks like alerts from a Wyze camera, static images on web sites, etc.

    I added the following rule in Pass Sites:

    UntangleImage.jpg

    However, I continue to get email alerts

    UntangleImage2.jpg

    Short of turning off all Phishing alerts, how can I stop receiving these?

    Thanks!!

  2. #2
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    8,516

    Default

    Quote Originally Posted by NeuroDoc View Post
    Fairly new to Untangle, so thanks in advance for the help!

    I've been getting a lot of phishing alerts related to sites in the amazonaws.com domain. This extends to thinks like alerts from a Wyze camera, static images on web sites, etc.

    I added the following rule in Pass Sites:

    UntangleImage.jpg

    However, I continue to get email alerts

    UntangleImage2.jpg

    Short of turning off all Phishing alerts, how can I stop receiving these?

    Thanks!!
    It's not flagging amazonaws.com but specifically That site.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Newbie
    Join Date
    Oct 2018
    Posts
    10

    Default

    So is it possible to allow all traffic from amazonaws.com to pass unflagged, or do I need to enter slcphoeniximages.s3.us-west-2.amazonaws.com specifically?

  4. #4
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    8,516

    Default

    Either will work.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  5. #5
    Newbie
    Join Date
    Oct 2018
    Posts
    10

    Default

    I thought that's what I was doing by putting in the pass for "*.amazonaws.com". What do I need to do differently?

  6. #6
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    8,516

    Default

    You have 4 levels of domain names in slcphoeniximages.s3.us-west-2.amazonaws.com

    Also the field is not pure glob. It's a special URL matcher as listed in the docs
    https://wiki.untangle.com/index.php/...ter#Pass_Sites
    https://wiki.untangle.com/index.php/URL_Matcher

    The correct syntax for all subdomains of us-west-2.amazonaws.com is just "us-west-2.amazonaws.com". remove the *.

    Similarly "*." is stripped from the rule for the same reason as above. If you truly want all subdomains but not the main domain matched, you can accomplish this by doing "*?.foo.com"
    Jim.Alles likes this.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  7. #7
    Master Untangler
    Join Date
    Oct 2013
    Posts
    140

    Default

    I had similar issues yesterday.

    This URL is being blocked and treated under the category “Phishing and Other Frauds” in Web Filter, as well as “Suspicious” in Threat Prevention

    The URL of interest is: h**p://wyze-device-alarm-file-ai.s3.us-west-2.amazonaws.com

    Traffic was being sourced from all our Wyze cameras (approx. 18 of them). I have been with Wyze support and they have qualified that URL to be legit.

    Haven't seen entries in the event logs today so I guess its reputation has improved (?)

  8. #8
    Newbie
    Join Date
    Feb 2020
    Posts
    13

    Default

    Hopefully I'm not hijacking, but I think I'm having same issue don't want to create a duplicate thread.

    I was coming here with similar problem - I keep getting warnings multiple times a day for bpi.rtactivate.com coming mostly from my wife's iPhone and the IP lookup goes to Amazon AWS. Not sure if this is the same issue or not (I'm not sophisticated in this area!) but it's hard to know if 1) I should be concerned 2) I should do something and 3) what the consequences for blocking are if this is a legit amazon link.

    Here's my web filter warning:

    System: Untangle [untangle.example.com]

    Event: WebFilterEvent

    Event Time: 2020-03-24 15:39:53.759.

    Event Summary:
    Web Filter blocked http://bpi.rtactivate.com/ (Phishing and Other Frauds)

    Event Details:
    app name = web_filter
    blocked = true
    category = Phishing and Other Frauds
    category id = 57
    flagged = true
    reason = BLOCK_CATEGORY
    request line = GET http://bpi.rtactivate.com/
    rule id = 57
    session event
    bypassed = false
    c client addr = 192.168.2.155
    c client port = 55139
    c server addr = 18.214.74.27
    c server port = 443
    client country = XL
    client intf = 2
    entitled = true
    hostname = (deleted)X
    local addr = 192.168.2.155
    policy id = 1
    policy rule id = 0
    protocol = 6
    protocol name = TCP
    remote addr = 18.214.74.27
    s client addr = 47.201.119.118
    s client port = 21457
    s server addr = 18.214.74.27
    s server port = 443
    server country = US
    server intf = 1
    server latitude = 39.0481
    server longitude = -77.4728
    session id = 103858985016298
    tags string =
    time stamp = 2020-03-24 15:39:53.701
    time stamp = 2020-03-24 15:39:53.759

  9. #9
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    8,516

    Default

    The session was blocked so it should not matter.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  10. #10
    Newbie
    Join Date
    Feb 2020
    Posts
    13

    Default

    Quote Originally Posted by jcoffin View Post
    The session was blocked so it should not matter.
    Well yes it was blocked, but I kinda feel like I should know IF it should be blocked and WHAT it was to begin with and WHY it was going out in the first place.

    Or is ignorance bliss? I feel like since I'm getting this error multiple times a day I should investigate more.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2