USG Flex 200 URL Blocking log

Vagabound

Since a few days I have the following message in the FW logfiles: URL Blocking - > Botnet URL -> ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUr -> Threat Category -> Malicious Sites.
Once per day, do I need to worry that there is a botnet running or is this harmless?

Zyxel_Cooldia

Hi @Vagabound, and @raph_soc,
Both URL https://e1.o.lencr.org  and https://ocsp.pki.goog/ are in correct category now.
As for URL https://x1.c.lencr.org, it is still in Phishing category, we are working on it.
It may need to take 3-5 business days, will update status once it is in correct category.

https://ocsp.pki.goog/ 

https://e1.o.lencr.org

smb_corp_user

Looks like you have got a false positive there, at least as long as you can trust Google and the USA.

IANA WHOIS Service: https://www.iana.org/whois?q=ocsp.pki.goog

contact:                administrative

name:                   TLD Admin

organisation:        Google Inc

address:               111 8th Avenue

address:               New York NY 10011

address:               United States of America (the)

phone:                  +1 404 978 8419

fax-no:                 +1 650 492 5631

e-mail:                 iana-contact@google.com

(Note: your URL contains the part "MFEwTzBNMEswSTAJBgUr" which is likely only an individual key for a specific event or computer access, not necessarily anything compromising.)

Vagabound

Thank you for your explanation, so that means I can ignore this message.
Should this URL be whitelisted by the firewall or not change it?

Zyxel_Cooldia

Hi @Vagabound,

The URL  ocsp.pki.goog(pki-goog.l.google.com) has been corrected to to Software/Hardware,Technical Information category.

Please have a check.

Vagabound

Thank you for your feedback.

The URL ocsp.pki.goog(pki-goog.l.google.com) no longer appears in the blocklist as far as I can see.

But now a lot of these are in the log file:

e1.o.lencr.org -> Phishing -> 77.109.138.73 -> ACCESS BLOCK
x1.c.lencr.org -> Phishing ->104.79.24.135 -> ACCESS BLOCK

Vagabound

It seems that the problem with the URL ocsp.pki.goog(pki-goog.l.google.com) is not fixed after all. Just now another log message -> alert -> url-threat-filter -> ACCESS BLOCK -> ocsp.pki.goog: -> Malicious Sites.

raph_soc

same as Vagabound

lots of x1.c.lencr.org:Phishing the past few days

destination IP: 23.217.185.252;104.108.45.242;104.93.207.219;104.82.150.7

Vagabound

Yes, I think Zyxel has a problem there.
I am in contact with the support, but so far no solution. Maybe there is still something coming.

raph_soc

Vagabound said:

Yes, I think Zyxel has a problem there.
I am in contact with the support, but so far no solution. Maybe there is still something coming.

alright. can you please keep me posted if you have any news ?

Vagabound

I will do this as soon as I get a message from the support to solve the problem. Unfortunately, I have not read anything from support for three days. Seems to be a complex problem.

Zyxel_Cooldia

Hi @Vagabound, and @raph_soc,
Both URL https://e1.o.lencr.org  and https://ocsp.pki.goog/ are in correct category now.
As for URL https://x1.c.lencr.org, it is still in Phishing category, we are working on it.
It may need to take 3-5 business days, will update status once it is in correct category.

https://ocsp.pki.goog/ 

https://e1.o.lencr.org