Mylar update script triggers work firewall

Post any problems / bugs / issues that are Mylar-related in here.
Post Reply
hookers_and_gin
Posts: 12
Joined: Fri Mar 07, 2014 6:15 pm

Mylar update script triggers work firewall

Post by hookers_and_gin » Fri Aug 11, 2017 2:05 pm

This is more of a FYI as I'm not sure what can be done about this, nor can I give a lot of details about what's going on but my work firewall sends an alert when I update Mylar from the web interface from my workstation.

The FW report says this:
Title: Beacon Detection
Detailed Description: This correlation object detects likely compromised hosts based on activity that resembles command-and-control (C2) beaconing, such as repeated visits to recently registered domains or dynamic DNS domains, repeated file downloads from the same location, generation of unknown traffic, etc.
Category: compromised-host
I do use a dynamic DNS domain to reach my Synology BTW

Is there a way to prevent the app from automatically reloading after an update or from pinging the client in this case? I apologize if I'm way off, not sure how this is set to work.

in the end, it's not a big deal but I thought I should share what happened.

Thanks for the great app again :)

User avatar
evilhero
Site Admin
Posts: 1969
Joined: Sat Apr 20, 2013 3:43 pm
Contact:

Re: Mylar update script triggers work firewall

Post by evilhero » Fri Aug 11, 2017 11:47 pm

It looks like it's getting tagged by the firewall due to the dynamic dns address, since that's what it be attempting to reach. It could also be assuming your either the master of a botnet looking in on your 'clients', or you're on the other end of the spectrum and your home pc is attempting to look in at you as if you were part of a larger botnet (thus the C2 Beaconing).

Mylar has to do a restart after it does an update, as would any application since it has to reload all the new code properly (otherwise you'd have remnants of code spattered throughout, and some files would be using the .pyc instead of the new .py files, etc).

I don't think there's anything that can be done - I mean aside from getting an actual domain name so that it wouldn't trigger the firewall, but it sounds like your work IT has it locked down pretty well (and as they should, that's what they get paid to do), it might still send out the beacon which would be just indicating that the page has been updated(which normally shouldn't fire off against a well-devised firewall). You could try going in by directly the ip
(go to https://www.whatismyip.com/dns-lookup/ to get the ip from a dynamic dns name), instead of the dynamic dns address, it might trigger or it might not - if it doesn't trigger, then you know it was the dynamic dns that's the issue.

Unless of course you're the IT firewall guy, then just add your dyndns address to the whitelist ;)

hookers_and_gin
Posts: 12
Joined: Fri Mar 07, 2014 6:15 pm

Re: Mylar update script triggers work firewall

Post by hookers_and_gin » Sat Aug 12, 2017 12:26 am

I may try with an actual domain and see if that was the issue but since a ticket is created every time something like that happens I'll make sure I loop them in when I try...

Anyway, thanks for the in-depth reply!

Post Reply