[tor-relays] Re: Running an obfs4 Bridge behind a UniFi UXG

Tue, 01 Apr 2025 01:19:29 -0700 

Not familiar with how bridge traffic appears on Unifi IDS/IPS, only Tor relay 
traffic and sharing that as a proxy to help.

On Unifi Network v9.0.114, the latest, there are three options I've seen:
1) Disable "active detections"
2) "Suppressed Signatures"
3) "Detection Exclusions"

All three options under Network -> Settings -> Security -> Protection

Specifically for Tor relay traffic (not sure how bridge traffic is flagged by 
Unifi IDS/IPS):
1) You can disable a group called "Peer to Peer and Dark Web" which has "TOR" 
and "Dark Web Block List" as options. If you don't want to block or notify on 
your network, you can disable these groups of signatures.

2) You can suppress specific signatures - I think this is what you're calling 
"Allow Signature", for "TOR" category and "ET TOR Known Tor Relay/Router..."
If you don't want to block or notify, you can disable specific signatures 
across all your network.

3) You can exclude the specific device by IP address from all IDS/IPS.
If you don' want any IDS/IPS on specific devices, you can disable notify / 
blocking on them.

Pros / Cons to each approach, but hopefully the three options give decent 
flexibility.

For bridge traffic, worth learning whether these IDS/IPS signature detections 
are something you find concerning. I'd suspect they shouldn't be, but good to 
confirm.

Suggestion - check the IP addresses, source and destination, check the specific 
signature, and see if you feel comfortable with the traffic. Example on 
signature research page, "ET Drop Dshield..." - ET is emerging threads - 
https://rules.emergingthreats.net/

Fairly sure most are based on Suricata, which is fairly open / public with many 
rulesets and used in many different systems beyond Unifi.
On Monday, March 31st, 2025 at 9:28 AM, Malcolm MacDonald via tor-relays 
<[email protected]> wrote:

> Hello All!
> Not sure if anyone else is running a bridge behind a UniFi UXG but in my Flow 
> log I am seeing blocked items with the Category of "DShield Block List" and 
> Signature of "ET DROP Dshield Block Listed Source group 1" and the connection 
> is being blocked.
>
> I'm thinking these alerts can be set to Allow Signature? Am I wrong on this 
> one?
>
> Malcolm
_______________________________________________
tor-relays mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to