USG Flex 200 URL Blocking log
Since a few days I have the following message in the FW logfiles: URL Blocking - > Botnet URL -> ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUr -> Threat Category -> Malicious Sites.
Once per day, do I need to worry that there is a botnet running or is this harmless?
Once per day, do I need to worry that there is a botnet running or is this harmless?
0
Accepted Solution
-
Hi @Vagabound, and @raph_soc,
Both URL https://e1.o.lencr.org and https://ocsp.pki.goog/ are in correct category now.
As for URL https://x1.c.lencr.org, it is still in Phishing category, we are working on it.
It may need to take 3-5 business days, will update status once it is in correct category.
https://ocsp.pki.goog/
https://e1.o.lencr.org
1
All Replies
-
Looks like you have got a false positive there, at least as long as you can trust Google and the USA.
IANA WHOIS Service: https://www.iana.org/whois?q=ocsp.pki.googcontact: administrativename: TLD Adminorganisation: Google Incaddress: 111 8th Avenueaddress: New York NY 10011address: United States of America (the)phone: +1 404 978 8419fax-no: +1 650 492 5631e-mail: iana-contact@google.com(Note: your URL contains the part "MFEwTzBNMEswSTAJBgUr" which is likely only an individual key for a specific event or computer access, not necessarily anything compromising.)0 -
Thank you for your explanation, so that means I can ignore this message.
Should this URL be whitelisted by the firewall or not change it?
0 -
Hi @Vagabound,The URL ocsp.pki.goog(pki-goog.l.google.com) has been corrected to to Software/Hardware,Technical Information category.Please have a check.0
-
Thank you for your feedback.
The URL ocsp.pki.goog(pki-goog.l.google.com) no longer appears in the blocklist as far as I can see.
But now a lot of these are in the log file:
e1.o.lencr.org -> Phishing -> 77.109.138.73 -> ACCESS BLOCK
x1.c.lencr.org -> Phishing ->104.79.24.135 -> ACCESS BLOCK
1 -
It seems that the problem with the URL ocsp.pki.goog(pki-goog.l.google.com) is not fixed after all. Just now another log message -> alert -> url-threat-filter -> ACCESS BLOCK -> ocsp.pki.goog: -> Malicious Sites.
0 -
same as Vagaboundlots of x1.c.lencr.org:Phishing the past few daysdestination IP: 23.217.185.252;104.108.45.242;104.93.207.219;104.82.150.7
0 -
Yes, I think Zyxel has a problem there.
I am in contact with the support, but so far no solution. Maybe there is still something coming.
1 -
I will do this as soon as I get a message from the support to solve the problem. Unfortunately, I have not read anything from support for three days. Seems to be a complex problem.
1 -
Hi @Vagabound, and @raph_soc,
Both URL https://e1.o.lencr.org and https://ocsp.pki.goog/ are in correct category now.
As for URL https://x1.c.lencr.org, it is still in Phishing category, we are working on it.
It may need to take 3-5 business days, will update status once it is in correct category.
https://ocsp.pki.goog/
https://e1.o.lencr.org
1
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 146 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight