LibreElec Updates triggers Emerging Threats Suricata Rules.

CA_cabotage · February 16, 2017 at 12:17 AM

Probably just a rule that needs to be suppressed for false positives, but I thought it might be worth mentioning here. I don't know if there is anything that can be done programming side to prevent this?

LibreElec updates triggers an alert on suricata ET rules.

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Python-urllib/ Suspicious User Agent"; flow:established,to_server; content:"Python-urllib/"; nocase; http_user_agent; depth:14; content:!"dropbox.com|0d0a|"; http_header; reference:url,http://www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013031; rev:4; )

**lrusak** · February 16, 2017 at 1:03 AM Official Post

No idea what that is.

I don't know why Dropbox.com is listed as we don't use it at all.

Probably need a bit more information about your setup, version, etc.

CA_cabotage · February 18, 2017 at 12:38 AM

Quote from lrusak

No idea what that is.

I don't know why Dropbox.com is listed as we don't use it at all.

Probably need a bit more information about your setup, version, etc.

I'm using the latest beta version, 7.95.3

**chewitt** · February 18, 2017 at 5:28 AM Official Post

Quote from CA_cabotage

Probably just a rule that needs to be suppressed for false positives, but I thought it might be worth mentioning here. I don't know if there is anything that can be done programming side to prevent this?

LibreElec updates triggers an alert on suricata ET rules.

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Python-urllib/ Suspicious User Agent"; flow:established,to_server; content:"Python-urllib/"; nocase; http_user_agent; depth:14; content:!"dropbox.com|0d0a|"; http_header; reference:url,http://www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013031; rev:4; )

It's a false positive, and nothing we can do anything about.