Why Am I Not Seeing Beacons Proxy or Proxied Long Connections Entries After Whitelisting My Proxy System?

September 15, 2021
F
Why Am I Not Seeing Beacons Proxy or Proxied Long Connections Entries After Whitelisting My Proxy System?

Beacons Proxy and Whitelisting

If you’re intending to use the Beacons Proxy tab to investigate connections sent through an HTTP proxy and you’re running AC-Hunter 5.3.1 or lower, you should be aware of an interaction with the whitelisting module. Let’s say your HTTP proxy is at IP address 8.7.6.5 and has a hostname of “proxy1.example.com”. If you whitelist any of the following you will not see any entries in the Beacons Proxy tab:

  • The IP address 8.7.6.5
  • The hostname proxy1.example.com
  • The domain example.com with a wildcard

 

To fix this, please do all of the following:

1) Upgrade to AC-Hunter 5.4.0 or above. You can download this from your portal account.

2) Edit /etc/AC-Hunter/rita.yaml with your preferred editor under sudo.

sudo nano /etc/AC-Hunter/rita.yaml

Edit the “AlwaysInclude” line so that the IP address of the proxy is included in the list. Here’s an example:

AlwaysInclude: ["8.8.8.8/32","place_proxy_internal_ip_here/32"]

Make sure this line continues to have the same number of leading spaces as the InternalSubnets line, has no leading tabs, uses standard double quotes, has a “/32” after the proxy IP address, and has no spaces between the square brackets.

3) Restart AC-Hunter with:

hunt down
hunt up -d --force-recreate

4) The entries will start to show up in the Beacons Proxy tab over the next 24 hours. You do not need to remove the whitelist entry to handle this issue in the Beacons Proxy tab.

 

Long Connections and Whitelisting

Long Connections that are sent through the proxy will also see this problem if the proxy is whitelisted with any of the 3 methods listed above in AC-Hunter versions 5.4.0 and below (5.4.0 is the most recent version as of 9/14/2021).

To see Long Connections routed through a proxy, please remove any whitelist entries that match this proxy system. As new data is imported it will show up again in your rolling databases over the next 24 hours.

We anticipate that a future release of AC-Hunter will address this and allow inspecting proxy-routed Long Connections while still whitelisting the proxy system.

 

Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=3884

Category: AC-Hunter General
Tags: