[Emerging-updates] ET INAPPROPRIATE Likely Porn Rule

Christopher Wensink cwensink at five-star-plastics.com
Mon Apr 20 09:14:59 HDT 2020


On our Company IPFire main router I am seeing entries in fast.log since
4/13 that look like this : 

04/13/2020-08:03:03.542262  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 128.135.235.254:80 -> <external-red-ip>:57834
04/13/2020-08:03:06.605389  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 147.75.197.195:80 -> <external-red-ip>:54242
04/13/2020-08:03:09.711630  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 104.148.30.241:80 -> <external-red-ip>:47376
04/13/2020-08:03:10.915841  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 147.75.197.195:80 -> <external-red-ip>:54244
04/13/2020-08:03:39.746609  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 128.153.145.19:80 -> <external-red-ip>:33382
04/13/2020-08:03:41.763956  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 68.235.39.83:80 -> <external-red-ip>:44004
04/13/2020-08:03:45.085779  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 173.44.32.10:80 -> <external-red-ip>:36346
04/13/2020-08:03:46.315131  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 104.219.172.11:80 -> <external-red-ip>:41564
04/13/2020-08:04:12.239150  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 198.82.152.116:80 -> <external-red-ip>:58932
04/13/2020-08:04:15.114494  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 131.225.105.75:80 -> <external-red-ip>:47166
04/13/2020-08:04:15.381208  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 208.85.242.118:80 -> <external-red-ip>:38596
04/13/2020-08:04:16.224797  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 128.153.145.19:80 -> <external-red-ip>:33578
04/13/2020-08:04:42.081758  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 131.225.105.75:80 -> <external-red-ip>:47204
04/13/2020-08:04:45.278575  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 147.75.197.195:80 -> <external-red-ip>:54568
04/13/2020-08:04:46.309885  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 128.153.145.19:80 -> <external-red-ip>:33618
04/13/2020-08:04:46.439111  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 208.85.242.118:80 -> <external-red-ip>:38642
04/13/2020-08:05:16.368282  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 208.85.242.118:80 -> <external-red-ip>:38670
04/13/2020-08:05:46.156897  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 128.135.235.254:80 -> <external-red-ip>:58208
04/13/2020-08:05:46.221470  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 147.75.197.195:80 -> <external-red-ip>:54640
04/13/2020-08:05:46.271516  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 128.153.145.19:80 -> <external-red-ip>:33686
04/13/2020-08:05:46.378775  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 208.85.242.118:80 -> <external-red-ip>:38710
04/13/2020-08:06:16.188599  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 68.235.39.83:80 -> <external-red-ip>:44386
04/13/2020-08:06:16.289229  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 104.148.30.241:80 -> <external-red-ip>:47918
04/13/2020-08:06:16.359338  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 173.44.32.10:80 -> <external-red-ip>:36728
04/13/2020-08:06:16.392580  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 104.219.172.11:80 -> <external-red-ip>:41940
04/13/2020-08:06:46.298890  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 198.82.152.116:80 -> <external-red-ip>:59288
04/13/2020-08:06:46.360797  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 173.44.32.10:80 -> <external-red-ip>:36788
04/13/2020-08:06:46.393006  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 131.225.105.75:80 -> <external-red-ip>:47520
04/13/2020-08:07:16.199580  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 68.235.39.83:80 -> <external-red-ip>:44510
04/13/2020-08:07:16.207134  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 128.135.235.254:80 -> <external-red-ip>:58508
04/13/2020-08:07:16.300833  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 198.82.152.116:80 -> <external-red-ip>:59354
04/13/2020-08:07:16.316368  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 104.148.30.241:80 -> <external-red-ip>:48046
04/13/2020-08:07:46.222333  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 131.225.105.75:80 -> <external-red-ip>:47622
04/13/2020-08:07:46.403786  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 104.219.172.11:80 -> <external-red-ip>:42106
04/13/2020-08:08:16.214535  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 68.235.39.83:80 -> <external-red-ip>:44578
04/13/2020-08:08:16.283075  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 128.135.235.254:80 -> <external-red-ip>:58578
04/13/2020-08:08:16.389031  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 173.44.32.10:80 -> <external-red-ip>:36922
04/13/2020-08:08:16.413706  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 104.219.172.11:80 -> <external-red-ip>:42134
04/13/2020-08:08:46.530418  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 198.82.152.116:80 -> <external-red-ip>:59724
04/13/2020-08:08:46.539093  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 104.148.30.241:80 -> <external-red-ip>:48416
04/13/2020-08:36:58.061164  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 64.250.112.70:80 -> <external-red-ip>:46694

There are hundreds of entries.  I'm not clear on the structure of the
rule if this is an attack from the outside IP, like a DDos attach or if
this is someone surfing porn on the LAN.

I need some assistance on how I can tell, what log files to look at, and
to know for sure if this is a security issue, someone looking at porn or
a false positive.  The IP address varies for a number of requests
starting on 4/13 at 8:03:03 AM, then on 4/14 nearly every entry goes to
one specific IP:

04/14/2020-08:25:20.419891  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 204.99.128.20:80 -> <external-red-ip>:33796
04/14/2020-08:25:20.494696  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 104.251.122.5:80 -> <external-red-ip>:32924
04/14/2020-08:25:25.979955  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 72.5.72.15:80 -> <external-red-ip>:58870
04/14/2020-08:25:50.411166  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 65.19.65.9:80 -> <external-red-ip>:51840
04/14/2020-08:38:57.554765  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 192.229.210.142:80 -> <external-red-ip>:55564
04/14/2020-08:39:17.119673  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 192.229.210.142:80 -> <external-red-ip>:55618
04/14/2020-08:54:33.299196  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 192.229.210.142:80 -> <external-red-ip>:56122
04/14/2020-09:09:53.058708  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 192.229.210.142:80 -> <external-red-ip>:56582
04/14/2020-09:54:33.724276  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 192.229.210.142:80 -> <external-red-ip>:59182
04/14/2020-10:10:09.686239  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 192.229.210.142:80 -> <external-red-ip>:60316

As an IT department of 1 I do not spend much time diving into these
rules so I am inexperienced in this area, with too much responsibility
and not enough time.

What is the best way to proceed?

Chris


More information about the Emerging-updates mailing list