Chisel traffic rejected due to "Potential Threat Detected"

Question

Chisel traffic rejected due to "Potential Threat Detected"

yaakov-berkovitch opened this issue a year ago · comments

All,

We are facing an issue where chisel client failed to communicate with the server because the traffic is suspected as malicious. From the capture we did we can see:

No.	Time	                                Source  Destination	  Protocol	Length	Info	                                                                 Port
30	2023-06-06 20:39:32.904515	1.1.3.4	4.5.6.7	   HTTP	          295	GET / HTTP/1.1 	                                         8082
31	2023-06-06 20:39:32.905755	4.5.6.7	1.2.3.4	   HTTP	          381	HTTP/1.1 401 Access Denied  (text/html)	30108

and the following body appears: "Potential Threat Detected"

Does anybody failed on the same ? Not clear the root cause because no traffic scanner or threat detection is running.

Any idea will be welcome.

Thanks

Jaime Pillora · Answer 1 · Thu Jun 08 2023 17:56:28 GMT+0800 (China Standard Time)

Websocket protocol string has chisel in it so they might be looking at that I originally wrote chisel to get ssh through hotel wifi though now it’s used for a lot - lots of red teaming, lots of black hat stuff too I’m guessing hence the security tools focusing on it I won’t change the source and play cat and mouse with security vendors but you can do it yourself 👍

…

On Thu, 8 Jun 2023 at 7:31 pm yberkov ***@***.***> wrote: All, We are facing an issue where chisel client failed to communicate with the server because the traffic is suspected as malicious. From the capture we did we can see: No. Time Source Destination Protocol Length Info Port 30 2023-06-06 20:39:32.904515 1.1.3.4 4.5.6.7 HTTP 295 GET / HTTP/1.1 8082 31 2023-06-06 20:39:32.905755 4.5.6.7 1.2.3.4 HTTP 381 HTTP/1.1 401 Access Denied (text/html) 30108 and the following body appears: "Potential Threat Detected" Does anybody failed on the same ? Not clear the root cause because no traffic scanner or threat detection is running. Any idea will be welcome. Thanks — Reply to this email directly, view it on GitHub <#432>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAE2X42ORSRK3EZS6QTBHS3XKGLXTANCNFSM6AAAAAAY7A4EZU> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

yberkov · Answer 2 · Thu Jun 08 2023 18:58:32 GMT+0800 (China Standard Time)

I thought the same regarding the "chisel" string used for the Websocket protocol - Will give a try.

yberkov · Answer 3 · Sun Jun 18 2023 22:32:09 GMT+0800 (China Standard Time)

@jpillora the WS renaming helped fixing the issue - Do you agree to rename it and not using "chisel" as part of the name ? Or to allow customizing this name using command line option. WDYT ? Do you want me to create a PR for that ?

sebledezma · Answer 4 · Thu Jul 13 2023 19:25:10 GMT+0800 (China Standard Time)

@yaakov-berkovitch can you point me to where the WS renaming is done ? I don't know the Go language.