My Native Access download failed problem solved! NI should probably look into this.

Options
DaLynxx
DaLynxx Member Posts: 1 Newcomer

Hello,

A couple of weeks ago I updated my KOMPLETE package. Payed a lot of money but was looking forward to test out the new and updated instrumets.

However, Native Access was not able to download anything at all. It started, but failed.

After hunting for answers on the web, re-installing, trying out different OS:es and computers I finally managed today to find out what was causing it at least for my setup.

It looks as if Native Access might be using the open source download client aria2 (search at github... I can't post links here :) )

There's nothing malicious with "aria2" as such. However, it seems as if aria2 have been used by some actually malicious trojan software somewhere in the past.

My Unifi UDM Pro router/gateway marked and blocked all the traffic that Native Access tried to send through. It reactcs on the so called "user-agent", i.e. the string that a html client presents to the server to tell "What kind of browser am I". Somewhere in the user-agent for aria2 there is a part of a string that looks like this: "aria2/". Depending on your settings the Unifi router might a) do nothing, b) notify in logs... or c) (as I had mine configured with) notify AND BLOCK!

This is of cource bad for the combination of running a Unify product in your network with this setting and wanting to download from NI.

However, behind the curtains there are other things that I believe makes this something for NI to look into and they probably be better of by changing the "user-agent" string that Native access is using while trying to connect to its servers.

Unify is using the open source IDS Suricata ( google it... can't post links) for its threat hunting.

And the "aria2/" trigger is actually from Suricatas own rule set. This means that anywhere in the network setup between you and the NI servers where suricata is used this rule might be triggered.

Maybe this will help someone else struggling with Native Access.

 -----

Technical mumbo jumbo below:


the rule in suricata looks like this:

"alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Aria2 User-Agent"; flow:to_server,established; http.user_agent; content:"aria2/"; depth:6; fast_pattern; reference:url,github.com/aria2/aria2; reference:md5,eb042fe28b8a235286df2c7f4ed1d8a8; classtype:trojan-activity; sid:2027286; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_25, deployment Perimeter, former_category USER_AGENTS, signature_severity Minor, updated_at 2020_08_28;)"

I believe that Native Access uses the user-agent "aria2/1.36.0"

Comments

  • abstrusity
    abstrusity Member Posts: 2 Newcomer
    Options

    Thanks, my downloads speed in Native Access would crawl to ridiculous single digit Mbps until they would timeout.

    I'm using a UDR with a relatively high detection heuristic. Went to the logs and saw blocked connections attempts at the exact time I started the download. Looked at the signature online and landed here on your post. I simply allowed the signature for the time being.

    Thank you very much for posting this here.

    I have nothing more to share on the subject but I'm commenting here for SEO's sake.

    Cheers everyone.

  • PoorFellow
    PoorFellow Moderator Posts: 3,571 mod
    Options

    @Hayo_NI , I am curious as to if you have any comments on this thread and it's subject ? (thought that you at least might want to get notified about the above 'speculations')

  • reffahcs
    reffahcs Member Posts: 848 Guru
    Options

    This is exactly why I stopped using Suricata on my home pfSense system. It just causes too many issues for daily use. It makes sense for the enterprise, but in most cases not for the home user.

  • Old WiseMan
    Old WiseMan Member Posts: 5 Member
    Options

    Just to add to this. I also use a Ubiquiti Dream Machine and Native Access downloads are blocked. Now I'm not going to alter my security just for Native Access (I don't get this issue with other downloaders, UVI, Arturia, Steinberg, Izotope, Plugin Alliance, etc). What I can do to get it to work is I spin up a VPN (currently I'm using Hotspot Shield, but other flavours are available) and it works fine. So, a bit of a work around that might help someone else who has stumbled on this thread.

  • Paul.Theo
    Paul.Theo Member Posts: 1 Newcomer
    Options

    Had this same issue and the VPN solution worked, but I wanted to jump in and agree that NI should still look into this - cheers

Back To Top