31
20.7 Legacy Series / DHCP ACK sends out WPAD address on interface with Windows 7 client
« on: November 09, 2020, 09:52:35 pm »
Hy!
Have here a Win 7 on his own LAN with no connection to the internet. After fresh install of 20.7.4 some days ago I started to see alerts (drop) in suricata on this special interface,
When I do a package capture, I see that the DHCP ACK package for this Win 7 client (aaa.bbb.ccc.14) coming from the OPNsense (.1) has the following info in the end of the package:
What does this mean? I don't want my Win 7 to be tunneled via a proxy on my OPNsense to the interwebs. This makes totally no sense at all to me.
Can somebody enlighten me? :-)
Have here a Win 7 on his own LAN with no connection to the internet. After fresh install of 20.7.4 some days ago I started to see alerts (drop) in suricata on this special interface,
Code: [Select]
Content match Service Suricata_alert
Date: Mon, 09 Nov 2020 04:38:55
Action: alert
Host: OPN0518.myOPNsenseDomain.home.arpa
Description: content match:
{"timestamp":"2020-11-09T04:36:59.210662+0100","flow_id":1511934677169894,"in_iface":"em1^","event_type":"alert","src_ip":"aaa.bbb.ccc.1","src_port":67,"dest_ip":"aaa.bbb.ccc.14","dest_port":68,"proto":"UDP","alert":{"action":"blocked","gid":1,"signature_id":2022915,"rev":1,"signature":"ET INFO Web Proxy Auto Discovery Protocol WPAD DHCP 252 option Possible BadTunnel","category":"Generic Protocol Command Decode","severity":3,"metadata":{"updated_at":["2016_06_24"],"created_at":["2016_06_24"]}},"app_proto":"d
When I do a package capture, I see that the DHCP ACK package for this Win 7 client (aaa.bbb.ccc.14) coming from the OPNsense (.1) has the following info in the end of the package:
Code: [Select]
.....https://wpad.myOPNsenseDomain.home.arpa:443/wpad.dat
What does this mean? I don't want my Win 7 to be tunneled via a proxy on my OPNsense to the interwebs. This makes totally no sense at all to me.
Can somebody enlighten me? :-)