My Native Access download failed problem solved! NI should probably look into this.

DaLynxx
DaLynxx Member Posts: 1 Newcomer

Hello,

A couple of weeks ago I updated my KOMPLETE package. Payed a lot of money but was looking forward to test out the new and updated instrumets.

However, Native Access was not able to download anything at all. It started, but failed.

After hunting for answers on the web, re-installing, trying out different OS:es and computers I finally managed today to find out what was causing it at least for my setup.

It looks as if Native Access might be using the open source download client aria2 (search at github... I can't post links here :) )

There's nothing malicious with "aria2" as such. However, it seems as if aria2 have been used by some actually malicious trojan software somewhere in the past.

My Unifi UDM Pro router/gateway marked and blocked all the traffic that Native Access tried to send through. It reactcs on the so called "user-agent", i.e. the string that a html client presents to the server to tell "What kind of browser am I". Somewhere in the user-agent for aria2 there is a part of a string that looks like this: "aria2/". Depending on your settings the Unifi router might a) do nothing, b) notify in logs... or c) (as I had mine configured with) notify AND BLOCK!

This is of cource bad for the combination of running a Unify product in your network with this setting and wanting to download from NI.

However, behind the curtains there are other things that I believe makes this something for NI to look into and they probably be better of by changing the "user-agent" string that Native access is using while trying to connect to its servers.

Unify is using the open source IDS Suricata ( google it... can't post links) for its threat hunting.

And the "aria2/" trigger is actually from Suricatas own rule set. This means that anywhere in the network setup between you and the NI servers where suricata is used this rule might be triggered.

Maybe this will help someone else struggling with Native Access.

 -----

Technical mumbo jumbo below:


the rule in suricata looks like this:

"alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Aria2 User-Agent"; flow:to_server,established; http.user_agent; content:"aria2/"; depth:6; fast_pattern; reference:url,github.com/aria2/aria2; reference:md5,eb042fe28b8a235286df2c7f4ed1d8a8; classtype:trojan-activity; sid:2027286; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_25, deployment Perimeter, former_category USER_AGENTS, signature_severity Minor, updated_at 2020_08_28;)"

I believe that Native Access uses the user-agent "aria2/1.36.0"

Back To Top