search

stamparm / maltrail

Malicious traffic detection system
MIT License
6.55k stars 1.09k forks source link

False positive `a0.awsstatic.com` in the Blacklist #19055

Closed PeterDaveHello closed 2 years ago

PeterDaveHello commented 2 years ago

a0.awsstatic.com is in the Blacklist https://raw.githubusercontent.com/stamparm/aux/master/maltrail-malware-domains.txt mentioned here: https://github.com/stamparm/maltrail#blacklist

Blocking a0.awsstatic.com would make https://aws.amazon.com/ broken, because there are a lot of static resources will be loaded from that domain, e.g.

https://a0.awsstatic.com/libra/1.0.434/csp/csp-report.js
https://a0.awsstatic.com/libra-css/css/1.0.407/style-awsm.css
https://a0.awsstatic.com/da/js/1.0.48/aws-da.js
https://a0.awsstatic.com/libra/1.0.434/libra-head.js
https://a0.awsstatic.com/s_code/js/3.0/awshome_s_code.js
https://a0.awsstatic.com/libra/1.0.434/libra-bundle.js
https://a0.awsstatic.com/eb-csr/1.0.9/orchestrate.css
https://a0.awsstatic.com/eb-csr/1.0.9/orchestrate.js
https://a0.awsstatic.com/target/1.0.120/aws-target-mediator.js
https://a0.awsstatic.com/libra-css/images/logos/aws_smile-header-desktop-en-white_59x35.png
https://a0.awsstatic.com/libra-css/fonts/fontawesome/4.7.0/fontawesome-webfont.woff
https://a0.awsstatic.com/libra-css/fonts/fontawesome/4.7.0/fontawesome-webfont.woff
https://a0.awsstatic.com/libra-css/css/1.0.407/vendor/fontawesome.css
https://a0.awsstatic.com/libra/1.0.434/components/popover.js
https://a0.awsstatic.com/libra/1.0.434/components/modal.js
https://a0.awsstatic.com/libra-css/fonts/amazon-ember/AmazonEmber_Rg.woff2
https://a0.awsstatic.com/libra-css/fonts/amazon-ember/AmazonEmber_Bd.woff2
https://a0.awsstatic.com/libra-css/fonts/amazon-ember/AmazonEmber_Lt.woff2
https://a0.awsstatic.com/libra-css/fonts/amazon-ember/AmazonEmber_Rg.woff2
https://a0.awsstatic.com/libra-css/fonts/amazon-ember/AmazonEmber_Bd.woff2
https://a0.awsstatic.com/libra-css/fonts/amazon-ember/AmazonEmber_Lt.woff2
https://a0.awsstatic.com/libra/1.0.434/components/tabs.js
https://a0.awsstatic.com/libra/1.0.434/components/cards.js
https://a0.awsstatic.com/libra/1.0.434/components/sort.js
https://a0.awsstatic.com/libra/1.0.434/components/gi-map.js
https://a0.awsstatic.com/libra/1.0.434/components/section-indicator.js
https://a0.awsstatic.com/libra/1.0.434/components/modal-mixin.js
https://a0.awsstatic.com/libra/1.0.434/components/carousel.js
https://a0.awsstatic.com/libra/1.0.434/vendor/owl.carousel.js
https://a0.awsstatic.com/libra-css/images/gi-map/AWS_Global-Map.svg
https://a0.awsstatic.com/libra/1.0.434/libra-cardsui/themes/showcase-grid.js

I checked this domain with the following secure DNS below, none of them blocked it:

Didn't see other blacklists seem to block this domain, may I send a pull request to whitelist it? Thanks!

PeterDaveHello commented 2 years ago

BTW, other subdomains of awsstatic.com like d1.awsstatic.com, s0.awsstatic.com are also referred in aws.amazon.com, not sure if it's better to whitelist the whole domain.

MikhailKasimov commented 2 years ago

Hello!

Fix: https://github.com/stamparm/maltrail/commit/366a74e9afa1608b0dacab32022ee8b283b93ad9 Whitelisting: https://github.com/stamparm/maltrail/commit/db79afa0ac2fea457ec2c975e24bd0da2f37674f

Sorry for FP. :-(

PeterDaveHello commented 2 years ago

No worries and thanks for the prompt correction, would like to see the possibilities of more discussions and PRs accepting, it'll give you the power of open source contribution and crowdsourcing ;)

(I believe that a few minutes delay of the whitelisting won't affect too much)

MikhailKasimov commented 2 years ago

@PeterDaveHello Please, check if FP is not reproducable on your side after updating trails. If everything is OK, I will close the issue.

PeterDaveHello commented 2 years ago

Hi @MikhailKasimov, I can confirm that the latest blacklist removed the FP a0.awsstatic.com, thanks!