SO making FTP communications to multiple regional registries #8201
-
Hey, I've been using Security Onion for a little bit now and I've seen on two occasions this month (on Saturdays at ~23:30 PST) that it makes FTP calls to multiple IP registries. I've seen ARIN, APNIC, LACNIC, RIPE NCC, AFRINIC, and there were around 20 ish calls in the space of a minute. I also see traffic over high ports (> 49000) to the same IPs. I did look up this issue and found this on reddit, is that the case here? Is there a reason why it's doing this? We don't have the packets captured so I can't really look at them. Why use FTP? Thanks. |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments
-
I know on 16.04 it used to go out via FTP to download IP Region codes (ARIN/.APNIC) like you mentioned above, dont remember the frequency of the updates. |
Beta Was this translation helpful? Give feedback.
-
Yes, it is sounds like GeoIP update activity. |
Beta Was this translation helpful? Give feedback.
-
It seems like you're still using the old Security Onion 16.04. If that is the case, please note that 16.04 is past End Of Life and you should make plans to upgrade to the current Security Onion 2.3: |
Beta Was this translation helpful? Give feedback.
It seems like you're still using the old Security Onion 16.04. If that is the case, please note that 16.04 is past End Of Life and you should make plans to upgrade to the current Security Onion 2.3:
https://docs.securityonion.net/en/2.3/eol.html