[Emerging-updates] ET INAPPROPRIATE Likely Porn Rule

Christopher Wensink cwensink at five-star-plastics.com
Mon Apr 20 10:32:36 HDT 2020


Thanks Jason,

I don't suppose there's a log file somewhere that would list out entries
together?  Otherwise I'll just have to search fast.log and the other
logs to manually line up the timing.

Chris

On 4/20/2020 2:09 PM, Jason Williams wrote:
> Chris,
>
> This rule is a *default disabled* ET OPEN rule that is really just a
> regex that looks at a bunch of "porn-centric" phrases and words that
> would be present in the content of a webpage as it is returned to a
> client on the monitored network.
>
> If you wanted to know more about the hits, you would have to
> investigate further into the logs that may or may not be generated on
> your firewall to observe what the URL is that is being requested and
> make a determination on next steps. If you wanted it to stop firing,
> it could be suppressed by disabling the rule as is default in the ET
> OPEN ruleset.
>
> My suspicion is that these may be False Positives as many of the IPs I
> looked at are hosting linux distribution files, but you never know
> until you find the actual url.
>
> Thanks,
>
> Jason
>
> On Mon, Apr 20, 2020 at 12:33 PM Christopher Wensink
> <cwensink at five-star-plastics.com
> <mailto:cwensink at five-star-plastics.com>> wrote:
>
>     On our Company IPFire main router I am seeing entries in fast.log
>     since
>     4/13 that look like this : 
>
>     04/13/2020-08:03:03.542262  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>     Likely Porn [**] [Classification: Potential Corporate Privacy
>     Violation]
>     [Priority: 1] {TCP} 128.135.235.254:80 <http://128.135.235.254:80>
>     -> <external-red-ip>:57834
>     04/13/2020-08:03:06.605389  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>     Likely Porn [**] [Classification: Potential Corporate Privacy
>     Violation]
>     [Priority: 1] {TCP} 147.75.197.195:80 <http://147.75.197.195:80>
>     -> <external-red-ip>:54242
>     04/13/2020-08:03:09.711630  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>     Likely Porn [**] [Classification: Potential Corporate Privacy
>     Violation]
>     [Priority: 1] {TCP} 104.148.30.241:80 <http://104.148.30.241:80>
>     -> <external-red-ip>:47376
>     04/13/2020-08:03:10.915841  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>     Likely Porn [**] [Classification: Potential Corporate Privacy
>     Violation]
>     [Priority: 1] {TCP} 147.75.197.195:80 <http://147.75.197.195:80>
>     -> <external-red-ip>:54244
>     04/13/2020-08:03:39.746609  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>     Likely Porn [**] [Classification: Potential Corporate Privacy
>     Violation]
>     [Priority: 1] {TCP} 128.153.145.19:80 <http://128.153.145.19:80>
>     -> <external-red-ip>:33382
>     04/13/2020-08:03:41.763956  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>     Likely Porn [**] [Classification: Potential Corporate Privacy
>     Violation]
>     [Priority: 1] {TCP} 68.235.39.83:80 <http://68.235.39.83:80> ->
>     <external-red-ip>:44004
>     04/13/2020-08:03:45.085779  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>     Likely Porn [**] [Classification: Potential Corporate Privacy
>     Violation]
>     [Priority: 1] {TCP} 173.44.32.10:80 <http://173.44.32.10:80> ->
>     <external-red-ip>:36346
>     04/13/2020-08:03:46.315131  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>     Likely Porn [**] [Classification: Potential Corporate Privacy
>     Violation]
>     [Priority: 1] {TCP} 104.219.172.11:80 <http://104.219.172.11:80>
>     -> <external-red-ip>:41564
>     04/13/2020-08:04:12.239150  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>     Likely Porn [**] [Classification: Potential Corporate Privacy
>     Violation]
>     [Priority: 1] {TCP} 198.82.152.116:80 <http://198.82.152.116:80>
>     -> <external-red-ip>:58932
>     04/13/2020-08:04:15.114494  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>     Likely Porn [**] [Classification: Potential Corporate Privacy
>     Violation]
>     [Priority: 1] {TCP} 131.225.105.75:80 <http://131.225.105.75:80>
>     -> <external-red-ip>:47166
>     04/13/2020-08:04:15.381208  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>     Likely Porn [**] [Classification: Potential Corporate Privacy
>     Violation]
>     [Priority: 1] {TCP} 208.85.242.118:80 <http://208.85.242.118:80>
>     -> <external-red-ip>:38596
>     04/13/2020-08:04:16.224797  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>     Likely Porn [**] [Classification: Potential Corporate Privacy
>     Violation]
>     [Priority: 1] {TCP} 128.153.145.19:80 <http://128.153.145.19:80>
>     -> <external-red-ip>:33578
>     04/13/2020-08:04:42.081758  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>     Likely Porn [**] [Classification: Potential Corporate Privacy
>     Violation]
>     [Priority: 1] {TCP} 131.225.105.75:80 <http://131.225.105.75:80>
>     -> <external-red-ip>:47204
>     04/13/2020-08:04:45.278575  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>     Likely Porn [**] [Classification: Potential Corporate Privacy
>     Violation]
>     [Priority: 1] {TCP} 147.75.197.195:80 <http://147.75.197.195:80>
>     -> <external-red-ip>:54568
>     04/13/2020-08:04:46.309885  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>     Likely Porn [**] [Classification: Potential Corporate Privacy
>     Violation]
>     [Priority: 1] {TCP} 128.153.145.19:80 <http://128.153.145.19:80>
>     -> <external-red-ip>:33618
>     04/13/2020-08:04:46.439111  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>     Likely Porn [**] [Classification: Potential Corporate Privacy
>     Violation]
>     [Priority: 1] {TCP} 208.85.242.118:80 <http://208.85.242.118:80>
>     -> <external-red-ip>:38642
>     04/13/2020-08:05:16.368282  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>     Likely Porn [**] [Classification: Potential Corporate Privacy
>     Violation]
>     [Priority: 1] {TCP} 208.85.242.118:80 <http://208.85.242.118:80>
>     -> <external-red-ip>:38670
>     04/13/2020-08:05:46.156897  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>     Likely Porn [**] [Classification: Potential Corporate Privacy
>     Violation]
>     [Priority: 1] {TCP} 128.135.235.254:80 <http://128.135.235.254:80>
>     -> <external-red-ip>:58208
>     04/13/2020-08:05:46.221470  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>     Likely Porn [**] [Classification: Potential Corporate Privacy
>     Violation]
>     [Priority: 1] {TCP} 147.75.197.195:80 <http://147.75.197.195:80>
>     -> <external-red-ip>:54640
>     04/13/2020-08:05:46.271516  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>     Likely Porn [**] [Classification: Potential Corporate Privacy
>     Violation]
>     [Priority: 1] {TCP} 128.153.145.19:80 <http://128.153.145.19:80>
>     -> <external-red-ip>:33686
>     04/13/2020-08:05:46.378775  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>     Likely Porn [**] [Classification: Potential Corporate Privacy
>     Violation]
>     [Priority: 1] {TCP} 208.85.242.118:80 <http://208.85.242.118:80>
>     -> <external-red-ip>:38710
>     04/13/2020-08:06:16.188599  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>     Likely Porn [**] [Classification: Potential Corporate Privacy
>     Violation]
>     [Priority: 1] {TCP} 68.235.39.83:80 <http://68.235.39.83:80> ->
>     <external-red-ip>:44386
>     04/13/2020-08:06:16.289229  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>     Likely Porn [**] [Classification: Potential Corporate Privacy
>     Violation]
>     [Priority: 1] {TCP} 104.148.30.241:80 <http://104.148.30.241:80>
>     -> <external-red-ip>:47918
>     04/13/2020-08:06:16.359338  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>     Likely Porn [**] [Classification: Potential Corporate Privacy
>     Violation]
>     [Priority: 1] {TCP} 173.44.32.10:80 <http://173.44.32.10:80> ->
>     <external-red-ip>:36728
>     04/13/2020-08:06:16.392580  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>     Likely Porn [**] [Classification: Potential Corporate Privacy
>     Violation]
>     [Priority: 1] {TCP} 104.219.172.11:80 <http://104.219.172.11:80>
>     -> <external-red-ip>:41940
>     04/13/2020-08:06:46.298890  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>     Likely Porn [**] [Classification: Potential Corporate Privacy
>     Violation]
>     [Priority: 1] {TCP} 198.82.152.116:80 <http://198.82.152.116:80>
>     -> <external-red-ip>:59288
>     04/13/2020-08:06:46.360797  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>     Likely Porn [**] [Classification: Potential Corporate Privacy
>     Violation]
>     [Priority: 1] {TCP} 173.44.32.10:80 <http://173.44.32.10:80> ->
>     <external-red-ip>:36788
>     04/13/2020-08:06:46.393006  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>     Likely Porn [**] [Classification: Potential Corporate Privacy
>     Violation]
>     [Priority: 1] {TCP} 131.225.105.75:80 <http://131.225.105.75:80>
>     -> <external-red-ip>:47520
>     04/13/2020-08:07:16.199580  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>     Likely Porn [**] [Classification: Potential Corporate Privacy
>     Violation]
>     [Priority: 1] {TCP} 68.235.39.83:80 <http://68.235.39.83:80> ->
>     <external-red-ip>:44510
>     04/13/2020-08:07:16.207134  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>     Likely Porn [**] [Classification: Potential Corporate Privacy
>     Violation]
>     [Priority: 1] {TCP} 128.135.235.254:80 <http://128.135.235.254:80>
>     -> <external-red-ip>:58508
>     04/13/2020-08:07:16.300833  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>     Likely Porn [**] [Classification: Potential Corporate Privacy
>     Violation]
>     [Priority: 1] {TCP} 198.82.152.116:80 <http://198.82.152.116:80>
>     -> <external-red-ip>:59354
>     04/13/2020-08:07:16.316368  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>     Likely Porn [**] [Classification: Potential Corporate Privacy
>     Violation]
>     [Priority: 1] {TCP} 104.148.30.241:80 <http://104.148.30.241:80>
>     -> <external-red-ip>:48046
>     04/13/2020-08:07:46.222333  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>     Likely Porn [**] [Classification: Potential Corporate Privacy
>     Violation]
>     [Priority: 1] {TCP} 131.225.105.75:80 <http://131.225.105.75:80>
>     -> <external-red-ip>:47622
>     04/13/2020-08:07:46.403786  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>     Likely Porn [**] [Classification: Potential Corporate Privacy
>     Violation]
>     [Priority: 1] {TCP} 104.219.172.11:80 <http://104.219.172.11:80>
>     -> <external-red-ip>:42106
>     04/13/2020-08:08:16.214535  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>     Likely Porn [**] [Classification: Potential Corporate Privacy
>     Violation]
>     [Priority: 1] {TCP} 68.235.39.83:80 <http://68.235.39.83:80> ->
>     <external-red-ip>:44578
>     04/13/2020-08:08:16.283075  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>     Likely Porn [**] [Classification: Potential Corporate Privacy
>     Violation]
>     [Priority: 1] {TCP} 128.135.235.254:80 <http://128.135.235.254:80>
>     -> <external-red-ip>:58578
>     04/13/2020-08:08:16.389031  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>     Likely Porn [**] [Classification: Potential Corporate Privacy
>     Violation]
>     [Priority: 1] {TCP} 173.44.32.10:80 <http://173.44.32.10:80> ->
>     <external-red-ip>:36922
>     04/13/2020-08:08:16.413706  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>     Likely Porn [**] [Classification: Potential Corporate Privacy
>     Violation]
>     [Priority: 1] {TCP} 104.219.172.11:80 <http://104.219.172.11:80>
>     -> <external-red-ip>:42134
>     04/13/2020-08:08:46.530418  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>     Likely Porn [**] [Classification: Potential Corporate Privacy
>     Violation]
>     [Priority: 1] {TCP} 198.82.152.116:80 <http://198.82.152.116:80>
>     -> <external-red-ip>:59724
>     04/13/2020-08:08:46.539093  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>     Likely Porn [**] [Classification: Potential Corporate Privacy
>     Violation]
>     [Priority: 1] {TCP} 104.148.30.241:80 <http://104.148.30.241:80>
>     -> <external-red-ip>:48416
>     04/13/2020-08:36:58.061164  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>     Likely Porn [**] [Classification: Potential Corporate Privacy
>     Violation]
>     [Priority: 1] {TCP} 64.250.112.70:80 <http://64.250.112.70:80> ->
>     <external-red-ip>:46694
>
>     There are hundreds of entries.  I'm not clear on the structure of the
>     rule if this is an attack from the outside IP, like a DDos attach
>     or if
>     this is someone surfing porn on the LAN.
>
>     I need some assistance on how I can tell, what log files to look
>     at, and
>     to know for sure if this is a security issue, someone looking at
>     porn or
>     a false positive.  The IP address varies for a number of requests
>     starting on 4/13 at 8:03:03 AM, then on 4/14 nearly every entry
>     goes to
>     one specific IP:
>
>     04/14/2020-08:25:20.419891  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>     Likely Porn [**] [Classification: Potential Corporate Privacy
>     Violation]
>     [Priority: 1] {TCP} 204.99.128.20:80 <http://204.99.128.20:80> ->
>     <external-red-ip>:33796
>     04/14/2020-08:25:20.494696  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>     Likely Porn [**] [Classification: Potential Corporate Privacy
>     Violation]
>     [Priority: 1] {TCP} 104.251.122.5:80 <http://104.251.122.5:80> ->
>     <external-red-ip>:32924
>     04/14/2020-08:25:25.979955  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>     Likely Porn [**] [Classification: Potential Corporate Privacy
>     Violation]
>     [Priority: 1] {TCP} 72.5.72.15:80 <http://72.5.72.15:80> ->
>     <external-red-ip>:58870
>     04/14/2020-08:25:50.411166  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>     Likely Porn [**] [Classification: Potential Corporate Privacy
>     Violation]
>     [Priority: 1] {TCP} 65.19.65.9:80 <http://65.19.65.9:80> ->
>     <external-red-ip>:51840
>     04/14/2020-08:38:57.554765  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>     Likely Porn [**] [Classification: Potential Corporate Privacy
>     Violation]
>     [Priority: 1] {TCP} 192.229.210.142:80 <http://192.229.210.142:80>
>     -> <external-red-ip>:55564
>     04/14/2020-08:39:17.119673  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>     Likely Porn [**] [Classification: Potential Corporate Privacy
>     Violation]
>     [Priority: 1] {TCP} 192.229.210.142:80 <http://192.229.210.142:80>
>     -> <external-red-ip>:55618
>     04/14/2020-08:54:33.299196  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>     Likely Porn [**] [Classification: Potential Corporate Privacy
>     Violation]
>     [Priority: 1] {TCP} 192.229.210.142:80 <http://192.229.210.142:80>
>     -> <external-red-ip>:56122
>     04/14/2020-09:09:53.058708  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>     Likely Porn [**] [Classification: Potential Corporate Privacy
>     Violation]
>     [Priority: 1] {TCP} 192.229.210.142:80 <http://192.229.210.142:80>
>     -> <external-red-ip>:56582
>     04/14/2020-09:54:33.724276  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>     Likely Porn [**] [Classification: Potential Corporate Privacy
>     Violation]
>     [Priority: 1] {TCP} 192.229.210.142:80 <http://192.229.210.142:80>
>     -> <external-red-ip>:59182
>     04/14/2020-10:10:09.686239  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>     Likely Porn [**] [Classification: Potential Corporate Privacy
>     Violation]
>     [Priority: 1] {TCP} 192.229.210.142:80 <http://192.229.210.142:80>
>     -> <external-red-ip>:60316
>
>     As an IT department of 1 I do not spend much time diving into these
>     rules so I am inexperienced in this area, with too much responsibility
>     and not enough time.
>
>     What is the best way to proceed?
>
>     Chris
>     _______________________________________________
>     Emerging-updates mailing list
>     Emerging-updates at lists.emergingthreats.net
>     <mailto:Emerging-updates at lists.emergingthreats.net>
>     https://lists.emergingthreats.net/mailman/listinfo/emerging-updates
>

-- 
Christopher Wensink
IS Administrator
Five Star Plastics, Inc
1339 Continental Drive 
Eau Claire, WI 54701
Office:  715-831-1682
Mobile:  715-563-3112
Fax:  715-831-6075
cwensink at five-star-plastics.com
www.five-star-plastics.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-updates/attachments/20200420/06ce8bc3/attachment-0001.html>


More information about the Emerging-updates mailing list