Chisel traffic rejected due to "Potential Threat Detected"

[yaakov-berkovitch]

All,

We are facing an issue where chisel client failed to communicate with the server because the traffic is suspected as malicious. From the capture we did we can see:

No.	Time	                                Source  Destination	  Protocol	Length	Info	                                                                 Port
30	2023-06-06 20:39:32.904515	1.1.3.4	4.5.6.7	   HTTP	          295	GET / HTTP/1.1 	                                         8082
31	2023-06-06 20:39:32.905755	4.5.6.7	1.2.3.4	   HTTP	          381	HTTP/1.1 401 Access Denied  (text/html)	30108

and the following body appears: "Potential Threat Detected"

Does anybody failed on the same ? Not clear the root cause because no traffic scanner or threat detection is running.

Any idea will be welcome.

Thanks

[jpillora]

Websocket protocol string has chisel in it so they might be looking at that

I originally wrote chisel to get ssh through hotel wifi though now it’s used for a lot - lots of red teaming, lots of black hat stuff too I’m guessing hence the security tools focusing on it

I won’t change the source and play cat and mouse with security vendors but you can do it yourself 👍

On Thu, 8 Jun 2023 at 7:31 pm yberkov @.***> wrote:

All,

We are facing an issue where chisel client failed to communicate with the server because the traffic is suspected as malicious. From the capture we did we can see:

No. Time Source Destination Protocol Length Info Port 30 2023-06-06 20:39:32.904515 1.1.3.4 4.5.6.7 HTTP 295 GET / HTTP/1.1 8082 31 2023-06-06 20:39:32.905755 4.5.6.7 1.2.3.4 HTTP 381 HTTP/1.1 401 Access Denied (text/html) 30108

and the following body appears: "Potential Threat Detected"

Does anybody failed on the same ? Not clear the root cause because no traffic scanner or threat detection is running.

Any idea will be welcome.

Thanks

— Reply to this email directly, view it on GitHub https://github.com/jpillora/chisel/issues/432, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAE2X42ORSRK3EZS6QTBHS3XKGLXTANCNFSM6AAAAAAY7A4EZU . You are receiving this because you are subscribed to this thread.Message ID: @.***>

[yaakov-berkovitch]

I thought the same regarding the "chisel" string used for the Websocket protocol - Will give a try.

[yaakov-berkovitch]

@jpillora the WS renaming helped fixing the issue - Do you agree to rename it and not using "chisel" as part of the name ? Or to allow customizing this name using command line option. WDYT ? Do you want me to create a PR for that ?

[sebledezma]

@yaakov-berkovitch can you point me to where the WS renaming is done ? I don't know the Go language.