Hello All! Not sure if anyone else is running a bridge behind a UniFi UXG but in my Flow log I am seeing blocked items with the Category of "DShield Block List" and Signature of "ET DROP Dshield Block Listed Source group 1" and the connection is being blocked.
I'm thinking these alerts can be set to Allow Signature? Am I wrong on this one?
Malcolm
Not familiar with how bridge traffic appears on Unifi IDS/IPS, only Tor relay traffic and sharing that as a proxy to help.
On Unifi Network v9.0.114, the latest, there are three options I've seen: 1) Disable "active detections" 2) "Suppressed Signatures" 3) "Detection Exclusions"
All three options under Network -> Settings -> Security -> Protection
Specifically for Tor relay traffic (not sure how bridge traffic is flagged by Unifi IDS/IPS): 1) You can disable a group called "Peer to Peer and Dark Web" which has "TOR" and "Dark Web Block List" as options. If you don't want to block or notify on your network, you can disable these groups of signatures.
2) You can suppress specific signatures - I think this is what you're calling "Allow Signature", for "TOR" category and "ET TOR Known Tor Relay/Router..." If you don't want to block or notify, you can disable specific signatures across all your network.
3) You can exclude the specific device by IP address from all IDS/IPS. If you don' want any IDS/IPS on specific devices, you can disable notify / blocking on them.
Pros / Cons to each approach, but hopefully the three options give decent flexibility.
For bridge traffic, worth learning whether these IDS/IPS signature detections are something you find concerning. I'd suspect they shouldn't be, but good to confirm.
Suggestion - check the IP addresses, source and destination, check the specific signature, and see if you feel comfortable with the traffic. Example on signature research page, "ET Drop Dshield..." - ET is emerging threads - https://rules.emergingthreats.net/
Fairly sure most are based on Suricata, which is fairly open / public with many rulesets and used in many different systems beyond Unifi. On Monday, March 31st, 2025 at 9:28 AM, Malcolm MacDonald via tor-relays tor-relays@lists.torproject.org wrote:
Hello All! Not sure if anyone else is running a bridge behind a UniFi UXG but in my Flow log I am seeing blocked items with the Category of "DShield Block List" and Signature of "ET DROP Dshield Block Listed Source group 1" and the connection is being blocked.
I'm thinking these alerts can be set to Allow Signature? Am I wrong on this one?
Malcolm
tor-relays@lists.torproject.org