MAAS Images Recognized as Network Trojan by IDS/IPS (UDM Pro)

Hey, it looks like my IPS is blocking MAAS from downloading some of the boot kernel files because my factory-default IPS (UniFi UDM Pro) is recognizing the files as a network trojan. Has anyone else had this problem? What are the solutions to this problem – whitelisting? Also, does anyone have any idea why UniFi’s IPS would recognize MAAS kernel files as a network trojan?

Here’s a screenshot of what I’m seeing (source IP maps to images.maas.io):

maas-suricata-alerts1074×296 20.5 KB

I was getting MITMed recently when I started talking about undesirable SciNonFi I was involved in on internet security forums so this might just be me…

If it isn’t just me then maybe MAAS can use HTTPS by default to download the images and this should prevent the IPS from picking it up.

By default MAAS is configured to access images.maas.io over HTTP to allow for transparent mirrors. All stream data is GPG signed and verified with the ubuntu-cloudimage-keyring. The stream data contains SHA256 sums for every file which is verified by MAAS. The stream is secure and there are no known trojans. I don’t know why UDM Pro is flagging this. You can access the stream over HTTPS by changing the boot source to https://images.maas.io/ephemeral-v3/daily/