0

While trying to work on incident investigation, I am seeing continuous https requests from website

cdn.syndication.twimg.com:443/widgets/timelines/paged/
callback=__twttr.callbacks.tl 
domain=www.kali.org

These requests are continuous and are tagged as something (file with PDF/Xls or similar extension) is getting uploaded from the host PC. The user computer is a Developer[DVPC] and I don't want to intefere if he is using this appliaction as legit, however with continuous https requests every 10 minutes and that too from kali.org[while we are windows based environment], it bothers me what the user is trying to achieve here. Can someone assist me with this?

I understand my question is a bit unclear, however I am trying to understand if it should be termed as legit or this website be blocked on the proxy?

Anders
  • 64,406
  • 24
  • 178
  • 215
Vaibhav
  • 5
  • 4
  • What is the IP address of the website? It might be legitimate, but it could also be that they've spoofed the host name. – user2428118 May 08 '17 at 15:48
  • 2
    I have a hard time understanding your question. You mention that you are working on an incident. An incident in your organization? On a web server? Then you mention that the requests are tagged. By an IPS? What is the "host PC"? It would help if you would clearly state what is happening, explicitly naming all the components you see something on. – WoJ May 08 '17 at 16:21
  • Hi @WoJ, The IP Address of the website referrs to Google Services[most likely Google Drive], as I have configured my policies on data upload checks on Google Drives. This incident is reported in our DLP Endpoint Prevent solution. The request tagged as something I meant with regards to policies with extensions[which refer to XLS and PDF files], So DLP policy indicated if user uploaded XLS files with data not suppose to then, it flags me as alert. I hope I am clear now? Let me know if I need to be more clear. The host PC is user machine – Vaibhav May 08 '17 at 19:50
  • It is not clear what is the direction of each request/response. Also name developer machine something and refer to it the same name everywhere. – Xaqron May 08 '17 at 20:21
  • 2
    can you ask the developer what's going on? maybe he has no idea about the traffic... – dandavis May 09 '17 at 03:11
  • After doing little research from google, I sense that cdn.syndication.twimg is a domain owned by twitter, however, I am still confused why the domain is www.kali.org as the developer[DVPC] is not suppose to use any Kali Linux machine for his development projects. Also these requests are continuous and unique of around 3000Bytes each. – Vaibhav May 09 '17 at 14:37
  • You are saying "continuous https requests *from* website". Do you mean request *to* that webpage? It is the developer (what you call the host machine) that is making those requests to that URL, right? – Anders May 10 '17 at 08:51
  • There are three lines of text where you specify the website at the beginning. What are those three lines? Is it all part of one URL? Or what does `callback` and `domain` mean here? – Anders May 10 '17 at 08:54

1 Answers1

2

Looks like someone has the kali.org blog page open, which has an embedded Twitter widget on. This will make requests approximately every 30 seconds, checking for new tweets from the @kalilinux Twitter account.

The following screenshot from Burp, whilst the page https://www.kali.org/news/kali-linux-20171-release/ is open shows this - the final column is the time of the requests, and can be seen to occur every 30 seconds. Depending on the browser being used, the frequency might be adjusted based on whether the tab is visible or not.

Regular requests from a Twitter widget

The responses have a content-disposition header, so could be triggering a SIEM which looks for unexpected downloads - the content type should be application/json though.

Matthew
  • 27,233
  • 7
  • 87
  • 101
  • Thanks Matt. I think this helps answer my question./ Yes, the content type which I am seeing is JSON downloads. At the same time, I am receiving DLP incidents from users machine[DVPC], I think it's something unusual, not sure if it's this request or I might have to trace proxy logs again. – Vaibhav May 09 '17 at 18:32
  • If you're particularly unlucky, you could potentially have an ID which passes a Luhn check, so looks to a DLP solution like a credit card number. – Matthew May 10 '17 at 08:08