{"id":45,"date":"2023-12-30T02:57:04","date_gmt":"2023-12-30T10:57:04","guid":{"rendered":"https:\/\/blogs.wang-home.net\/?p=45"},"modified":"2023-12-30T03:00:43","modified_gmt":"2023-12-30T11:00:43","slug":"aria2-and-unifi-network-ids-ips","status":"publish","type":"post","link":"https:\/\/blog.wang-home.net\/?p=45","title":{"rendered":"aria2 and Unifi Network IDS\/IPS"},"content":{"rendered":"<p>I was trying to install Windows 11 ARM64 build on my spare Rasperberry Pi 4. This involves using a script generated by <a href=\"https:\/\/uupdump.net\">uudump<\/a> to build a Windows installer ISO file. The script uses <a href=\"https:\/\/github.com\/aria2\/aria2\">aria2<\/a> to download packages from Microsoft servers. Soon I realized the script didn't seem to work - specifically the aria2 tool was extremely slow and failed to download a lot of files.<\/p>\n<p>It was late, so I decided to just let the script run overnight and check back next morning.<\/p>\n<p>The next morning... no luck. The script was still running, with tons of error messages from <code class=\"\" data-line=\"\">aria2<\/code>.<\/p>\n<p>How come? <code class=\"\" data-line=\"\">aria2<\/code> claims to be &quot;super fast&quot;. The error messages essentially all say that the target server didn't response to the request.<\/p>\n<p>To confirm the issue is really what the error message indicated, I copied some of the target URLs from the error messages, then used the <code class=\"\" data-line=\"\">wget<\/code> command to download from those URLs. And they all downloaded quickly without a single issue.<\/p>\n<p>So it seems the problem is with <code class=\"\" data-line=\"\">aria2<\/code> itself? Then it ocurred to me that I should check the network logs on my router, the Unifi Dream Machine SE.<\/p>\n<p>And there lies the answer.<\/p>\n<p>In the <code class=\"\" data-line=\"\">Security Detections<\/code> logs, there are a bunch of events from my VM running the script:<\/p>\n<pre><code class=\"\" data-line=\"\">Potential Risk\nThis is associated with potential Trojan activity which may be harmful for your network.\n\nDetection Category     User Agents\nSignature              ET USER_AGENTS Aria2 User-Agent<\/code><\/pre>\n<p>Appearantly the Unifi Network's IDS\/IPS decided aria2 is potentially harmful and blocked the traffic. That's why <code class=\"\" data-line=\"\">aria2<\/code> never received response from Microsoft's download server for a lot of requests.<\/p>\n<p>I need the script to work, but since IDS\/IPS says these requests smell fishy, I moved the script from a sandbox VM on my &quot;low trust&quot; VLAN to a temporary VM in a dedicated &quot;no trust&quot; VLAN that can only access the internet and completely blocked from my local network; then I added the temporary VM to the Unifi Network's <code class=\"\" data-line=\"\">Security Detection Allow List<\/code>. After that, the script worked quickly and I got the Windows 11 ARM installation ISO generated.<\/p>\n<p>Note to myself: if the rest of the network seem fine, but a certain app is having issues, make sure to check the network security logs first.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I was trying to install Windows 11 ARM64 build on my spare Rasperberry Pi 4. This involves using a script generated by uudump to build a Windows installer ISO file. The script uses aria2 to download packages from Microsoft servers. Soon I realized the script didn&#8217;t seem to work &#8211; specifically the aria2 tool was &#8230; <a title=\"aria2 and Unifi Network IDS\/IPS\" class=\"read-more\" href=\"https:\/\/blog.wang-home.net\/?p=45\" aria-label=\"Read more about aria2 and Unifi Network IDS\/IPS\">Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":46,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[7,13,9,12,10,11,8,14],"class_list":["post-45","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-homelab","tag-aria2","tag-detection","tag-ids","tag-intrusion","tag-ips","tag-security","tag-unifi","tag-uudump"],"_links":{"self":[{"href":"https:\/\/blog.wang-home.net\/index.php?rest_route=\/wp\/v2\/posts\/45","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.wang-home.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.wang-home.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.wang-home.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.wang-home.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=45"}],"version-history":[{"count":2,"href":"https:\/\/blog.wang-home.net\/index.php?rest_route=\/wp\/v2\/posts\/45\/revisions"}],"predecessor-version":[{"id":48,"href":"https:\/\/blog.wang-home.net\/index.php?rest_route=\/wp\/v2\/posts\/45\/revisions\/48"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.wang-home.net\/index.php?rest_route=\/wp\/v2\/media\/46"}],"wp:attachment":[{"href":"https:\/\/blog.wang-home.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=45"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.wang-home.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=45"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.wang-home.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=45"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}