Did install Snowflake on one TO and it running well according to the output of:
grep ‘snowflake’ /var/log/messages.1
Have a little script summing the traffic and there is a few GB per day usually despite being heavily NATed.
But also running on that TO the Sentinel and Dynamic FW.
(So I’m not only leeching on the fruits of the projects, right?)
The Sentinel Components are all on - except for Survey.
In before the Snowflake went inside the TO there were no incidents reported by the device (can be seen on Sentinel View by Device token).
Having the Snowflake also in the LAN on separate devices before moving it into TO. That does not create a single such event afaik.
(Snowflake in use more than a year.)
All reported incidents are in ‘Top traps by incidents recorded’ only as ‘fwlogs’ marked.
The Snowflake works as connecting to the broker service that matching requests to be bridged through Snowflake instances. Therefore the connections are introduced as incoming to my Snowflake(?). From the service afaik the outgoing connections are: on the broker belonging to the Tor project and after the WebRTC p2p is established, bridging that traffic into the Tor relay of choice.
I did read this Technical overview but unsure if my understanding is correct, mainly how is the WebRTC done - if that is incoming or my Snowflake is asked to introduce itself to the counterparty.
Now as this is widely deployed service (standalone instances into: docker, Linux, as a browser extension or even process in the opened browser tab, OpenWRT) - I’m not sure how much risk is here to be monitored.
As Snowflake only blindly transporting the data, not executing something and it’s a WebRTC-like traffic.
‘There is no need to worry about which websites people are accessing through your Snowflake proxy. Their visible browsing IP address will match their Tor exit node, not yours.’
Also from the reForis menu info: ‘Sentinel uses them to monitor packets coming from outside network and trying to connect to potentially vulnerable local services.’
Have few questions:
-
are those ‘fwlogs’ events processed:
a) again for some reinforcement of the threat entry, meaning they help to the ‘threat’ to stay in database longer because of such occurrence?
b) it’s only for my id statistics
c) both -
can be those somehow false positives? Because of the abuse of Tor/Domain Fronting/Snowflake brokers. Meaning they are by mistake of en mass reporting existing as threat from instances such is this one.
-
why it’s now visible only when Snowflake is in TO, but it doesn’t catch the LAN traffic. That bothering me most because there is no change in my network, no new services. Rest of the traffic goes in/out through the VPN (Snowflake does not).
How can I check for more information what device/traffic does trigger such event? (What device can cause incoming traffic of this type.)
‘ipset list’ does not work, presumably because the transition on nftables with 7.1
So far only thinking that someone is probing the network (and is already as malicious in database) - because the recorded events are from ‘simple firewall monitoring’, not the Minipots. Maybe as this is the new installation there is also new broker with different history or region to maintain in contrast to previous one.
Also maybe important to note:
this TO is behind someones else gateway so the Snowflake checking procedure for NAT type returning:
NAT Type measurement: unknown → restricted = restricted
NAT type: restricted
Also the Snort installed for a period of time both with Snowflake in LAN and in TO.
For each option it does warn me (after editing some conf. for it to be displayed daily in reForis) and it flooded the log with many warnings pointing I believe the Snowflake traffic.
(Because that does stop as Snowflake paused.)
For the excessive logging that I do not now how to tame it and make a good use of that, Snort no longer in use.
Before posting here, checked also:
this post and the Sentinel Intro / Setup / Threat detection and few more posts here and there in hope that not missing some obvious info that could help me.