Post At4NUt341tlfyC5EOW by tejr@mastodon.sdf.org
(DIR) More posts by tejr@mastodon.sdf.org
(DIR) Post #AstN0ZirBIXObacQ6q by Dryusdan@social.dryusdan.fr
2025-04-08T16:50:31.060737Z
0 likes, 1 repeats
đ° Nouvel article : âL'IA et Forgejoâ https://dryusdan.space/lia-et-forgejo
(DIR) Post #AstN0k3Qlew8eIJzZA by Dryusdan@social.dryusdan.fr
2025-04-08T17:05:14.073777Z
0 likes, 0 repeats
Avec la vidéo réparé du coup x)
(DIR) Post #AstWOZCDgmudVgrrxA by Dryusdan@social.dryusdan.fr
2025-04-08T20:54:16.051143Z
1 likes, 0 repeats
@codimp jâavoue que ça mâa fait beaucoup rire đ Imagine. On embauche des types pour trouver des failles permettant de dire que le contenu est gĂ©nĂ©rĂ© par IA pour ne pas lâaspirer pour ensuite gĂ©nĂ©rer du contenu par IA que lâIA va aspirer Les types ont trouvĂ© le moyen de bosser Ă lâinfini ! Et dire que mon mĂ©tier câest de rĂ©duire sa charge de travail, mais eux non đ
(DIR) Post #At4NBGwHUlogH1Ye00 by tejr@mastodon.sdf.org
2025-04-14T03:46:53Z
1 likes, 0 repeats
@Dryusdan Hello; I have had very similar problemsâmaybe the same botnet. tcpdump with ja3.py showed the botnet requests all had the same JA3 TLS client sig. I blocked that with Suricata filtering inbound HTTPS in IPS mode (iptables NFQUEUE) and TCP RST, with a shorter timeout for Apache HTTPD requests (mod_reqtimeout). This has worked very well after what has been a maddening few weeks.(Sorry, my French is good enough to read your post, but not to reply...)
(DIR) Post #At4NUt341tlfyC5EOW by tejr@mastodon.sdf.org
2025-04-14T03:50:27Z
0 likes, 0 repeats
@Dryusdan If you try this, let me know if the sig you find matches mine: 5cc600468c246704e1699c12f51eb3ab
(DIR) Post #At4o7PUGT9PSOBpu2C by Dryusdan@social.dryusdan.fr
2025-04-14T08:32:38.317845Z
0 likes, 0 repeats
@tejr I find the same sig for this pattern !
(DIR) Post #At4o7QkFnBnGI4KBay by tejr@mastodon.sdf.org
2025-04-14T08:48:42Z
0 likes, 0 repeats
@Dryusdan Yep, then the approach I suggest should work. Please let me know if I can help...!
(DIR) Post #At4pZMjKPgDNtumBIO by Dryusdan@social.dryusdan.fr
2025-04-14T08:50:39.253971Z
0 likes, 0 repeats
@tejr Actually a new world is open up to me :D A long time ago I would install Suricata on my lab but I don't find any use case... Now yes :D I need to learn đ Thank !
(DIR) Post #At4pZNkmbkyN4iSrCa by tejr@mastodon.sdf.org
2025-04-14T09:04:55Z
0 likes, 0 repeats
@Dryusdan Yes, it was new to me too. You're welcome!
(DIR) Post #At5pP9sRXWiQIg8GLA by Dryusdan@social.dryusdan.fr
2025-04-14T20:31:44.936668Z
1 likes, 0 repeats
@tejr fun fact, I found a way to implement ja3n in HAProxy (okay, somebody make code https://github.com/O-X-L/haproxy-ja3n/ But itâs totally possible to make this line with HAProxy https://www.haproxy.com/documentation/haproxy-configuration-manual/latest/#7.3.4-ssl_fc_protocol_hello_id This more easier to check it in log :D
(DIR) Post #At7HxwLKqIGIKqynzM by Dryusdan@social.dryusdan.fr
2025-04-15T13:05:42.327179Z
0 likes, 0 repeats
@tejr Hello o/ I have a little question with your Suricata installation đ I tried to configure suricata using nftables, but I encountering an error... Hum, no error but I haven't any packet analysis đ
In --af-packet I can see all packet but I can't drop anythingAnd in nfqueue mode I just can't see any packet... Do you run your suricata installation on a "router" or just before you're reverse proxy ? :D (Because all documentation I found use forwarding hook :/ )
(DIR) Post #At7HxxPyqVZVfYA1rs by tejr@mastodon.sdf.org
2025-04-15T13:32:27Z
0 likes, 0 repeats
@Dryusdan You need nft or iptables rules to send HTTPS INPUT and OUTPUT to an NFQUEUE target. I am still using iptables (I need to learn nftables):iptables -I INPUT -p tcp --dport 443 -j NFQUEUEiptables -I OUTPUT -p tcp --sport 443 -j NFQUEUEThen start Suricata like this:/usr/bin/suricata -c /etc/suricata/suricata.yaml -q 0 -D
(DIR) Post #AtHNf4MtuJobYt9DF2 by Dryusdan@social.dryusdan.fr
2025-04-15T14:13:07.463356Z
0 likes, 0 repeats
@tejr Like mine, but I use queue num 3-5 because documentation say "do not use 0, it's used by kernel"I check this :) Thank
(DIR) Post #AtHNf5fN58BTaSnTfc by tejr@mastodon.sdf.org
2025-04-20T10:23:25Z
0 likes, 0 repeats
@Dryusdan Hello; I'm interested to know if you've seen the botnet stop. Over the past day or so the requests-per-hour from the known-bad TLS client as identified by JA3 hash has trickled down to nearly zero, from a height of more than 20,000 an hour. I'm curious to know if they reacted to my mitigation efforts, or if they've just stopped bullying Git web interfaces like ours in general?