I have a Synology RT6600ax router and I got this event from Threat Prevention:
ET INFO Observed Let's Encrypt Certificate from Active Intermediate, R3
drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed Let's Encrypt Certificate from Active Intermediate, R3"; flow:from_server,established; tls.cert_issuer; content:"R3"; fast_pattern; reference:url,Chain of Trust - Let's Encrypt; classtype:misc-activity; sid:4033240; rev:1; metadata:created_at 2022_02_14, deployment Perimeter, deployment SSLDecrypt, deprecation_reason Performance, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_02_14;)
This came from 18.104.22.168 into my PC.
Is this a problem at the source IP? What is the error message trying to say about Let's Encrypt cert and why?
Thanks for any help trying to understand these cryptic error messages as I'm a newbie with this router and Threat Prevention and Let's Encrypt.
Is there a reason to be worried about it from a security standpoint?
That doesn't look like any kind of problem with your certificates. It looks like an INFO class warning. But, you'd be better asking this on a forum for that router or to the Synology router group.
Unfortunately, the Synology router group doesn't seem to know a lot about these either. Apparently the Threat Prevention stuff is just checking signatures from Proofpoint. So I was hoping someone here might be able to shed some light.
So that error message doesn't ring any bells as to what it is trying to communicate?
I'm a LOONG time programmer, but new to the router world and SUPER new to the Threat Prevention world.
I doubt that anyone here knows anything about it, it's the first time I've seen it.
That said, if nobody knows anything about it and it's just a warning with the above quotes reasons, I personally would just ignore it.
Are you using the latest RT6600ax firmware?
Are you using the latest Threat Prevention engine/signatures?
It sounds like it is detecting access to your internal system - that is using an LE cert.
But feels like that is somehow a performance issue.
Is that a normal thing? Detecting access to my system?
You need to ask in a Synology forum.
I'm only guessing at why it might be doing what it is doing.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.