Hi there,
I just noticed that the filebeat agents installed on the clients are talking quite frequently to 34.111.17.235 (235.17.111.34.bc.googleusercontent.com). Is it possible to configure the agents not to do that without having to block the traffic?
Kind regards
Drops
What do you have configured in your filebeat? Which modules did you enable?
Did you enable any threat intel modules, like the Abuse.ch module?
The IP address you shared is the endpoint for the Malwarebazer API of Abuse.ch, this is used by the threat intel module.
- module: threatintel
malwarebazaar:
enabled: true
var.input: httpjson
var.url: https://mb-api.abuse.ch/api/v1/
var.interval: 10m
$ dig @8.8.8.8 mb-api.abuse.ch
; <<>> DiG 9.18.18-0ubuntu0.22.04.1-Ubuntu <<>> @8.8.8.8 mb-api.abuse.ch
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27000
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;mb-api.abuse.ch. IN A
;; ANSWER SECTION:
mb-api.abuse.ch. 181 IN A 34.111.17.235
thnx a lot, didnt think of that.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.