After I got volumio setup, every 6 minutes or so traffic is being flagged as a threat on my network.
A network intrusion attempt from volumio to 142.93.107.218 (pushupdates.volumio.org) has been detected and blocked
I am assuming this is just traffic to get updates but my firewall is seeing it as “ET USER_AGENTS Node XMLHTTP User-Agent” signature.
Is anyone else seeing this and I am assuming I can just whitelist list traffic, I checked the URL and it looks safe.
Thoughts? Thanks!
Hey @VolumDrew,
The traffic is benign.
The signature ET USER_AGENTS Node XMLHTTP User-Agent (Emerging Threats sid:2027388) matches on the User-Agent string “node-XMLHttpRequest” only. It does not inspect the destination, payload, or behaviour. Its classification is “unknown” with severity “Minor” and performance impact “Low”. It is a generic fingerprint for the Node.js xmlhttprequest library, not a malware indicator.
The endpoint can be safely whitelisted, or the signature suppressed at the firewall, depending on which approach your IDS prefers.
Worth noting that the same Emerging Threats ruleset includes several other minor User-Agent fingerprint rules from the same 2019 batch. If your firewall is flagging this one but not the others, that is a configuration outcome on your side, not a difference in the traffic itself. Why not flag MS Update?
Kind Regards,
Thanks for the info, i figured it was benign. I’ll whitelist it.