@johnpoz said in Teamspeak Login generates Surricata alert: Base64 HTTP Password detected unencrypted on:
@ghar36k if that is the case that seems insane in this day and age to be honest. I would do a packet capture, start the capture before you click your login and get the warning. Prob want to set the packet limit to 0 vs the default 1000.
Do you see the alert, then look into the packet capture - download and using something like wireshark make it easier to read the pcap for sure.
Do you see anything in the clear, or is all just https traffic. If something is encode with just base 64, it would be very easy to decode. There are many places on the net to paste in base64 and view it decoded.
If you know where the data is being sent, you mention the IP seems legit.. Does it change when you do this test multiple times? If not be much easier to limit your packet capture to just that IP so it won't contain other traffic.
I would also check on their forums, or send them a support request asking about it and the warning your seeing in your ips.
I don't use teamspeak, or I would be very happy to look into it as well - quite possible other pfsense users do use it, maybe they will chime in?
It's the same IP address every time.
It took a little longer to generate the IPS alert when I was doing the packet capture this time (30 seconds to a minute).
The alert in Surricata indicates the destination port is port 80 but when I was doing the packet capture it's showing the destination port as 41444. I'm not sure if it grabbed the right packet so I'm going to try again.
I've kept the application open for 20-30 minutes after the first capture and it's not generating any additional alerts. The alerts only seem to come immediately/shortly after login.
I'm also not seeing any actual data username/password (not that I'm super familiar with how to read a PCAP in wire shark).
