[Emerging-updates] ET INAPPROPRIATE Likely Porn Rule

Jason Williams jwilliams at emergingthreats.net
Mon Apr 20 11:11:50 HDT 2020


If you're using Suricata, there's the eve.json file that by default will
contain everything. If you're using snort, it depends what outputs you have
enabled.

On Mon, Apr 20, 2020 at 1:33 PM Christopher Wensink <
cwensink at five-star-plastics.com> wrote:

> Thanks Jason,
>
> I don't suppose there's a log file somewhere that would list out entries
> together?  Otherwise I'll just have to search fast.log and the other logs
> to manually line up the timing.
>
> Chris
>
> On 4/20/2020 2:09 PM, Jason Williams wrote:
>
> Chris,
>
> This rule is a *default disabled* ET OPEN rule that is really just a regex
> that looks at a bunch of "porn-centric" phrases and words that would be
> present in the content of a webpage as it is returned to a client on the
> monitored network.
>
> If you wanted to know more about the hits, you would have to investigate
> further into the logs that may or may not be generated on your firewall to
> observe what the URL is that is being requested and make a determination on
> next steps. If you wanted it to stop firing, it could be suppressed by
> disabling the rule as is default in the ET OPEN ruleset.
>
> My suspicion is that these may be False Positives as many of the IPs I
> looked at are hosting linux distribution files, but you never know until
> you find the actual url.
>
> Thanks,
>
> Jason
>
> On Mon, Apr 20, 2020 at 12:33 PM Christopher Wensink <
> cwensink at five-star-plastics.com> wrote:
>
>> On our Company IPFire main router I am seeing entries in fast.log since
>> 4/13 that look like this :
>>
>> 04/13/2020-08:03:03.542262  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>> [Priority: 1] {TCP} 128.135.235.254:80 -> <external-red-ip>:57834
>> 04/13/2020-08:03:06.605389  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>> [Priority: 1] {TCP} 147.75.197.195:80 -> <external-red-ip>:54242
>> 04/13/2020-08:03:09.711630  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>> [Priority: 1] {TCP} 104.148.30.241:80 -> <external-red-ip>:47376
>> 04/13/2020-08:03:10.915841  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>> [Priority: 1] {TCP} 147.75.197.195:80 -> <external-red-ip>:54244
>> 04/13/2020-08:03:39.746609  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>> [Priority: 1] {TCP} 128.153.145.19:80 -> <external-red-ip>:33382
>> 04/13/2020-08:03:41.763956  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>> [Priority: 1] {TCP} 68.235.39.83:80 -> <external-red-ip>:44004
>> 04/13/2020-08:03:45.085779  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>> [Priority: 1] {TCP} 173.44.32.10:80 -> <external-red-ip>:36346
>> 04/13/2020-08:03:46.315131  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>> [Priority: 1] {TCP} 104.219.172.11:80 -> <external-red-ip>:41564
>> 04/13/2020-08:04:12.239150  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>> [Priority: 1] {TCP} 198.82.152.116:80 -> <external-red-ip>:58932
>> 04/13/2020-08:04:15.114494  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>> [Priority: 1] {TCP} 131.225.105.75:80 -> <external-red-ip>:47166
>> 04/13/2020-08:04:15.381208  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>> [Priority: 1] {TCP} 208.85.242.118:80 -> <external-red-ip>:38596
>> 04/13/2020-08:04:16.224797  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>> [Priority: 1] {TCP} 128.153.145.19:80 -> <external-red-ip>:33578
>> 04/13/2020-08:04:42.081758  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>> [Priority: 1] {TCP} 131.225.105.75:80 -> <external-red-ip>:47204
>> 04/13/2020-08:04:45.278575  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>> [Priority: 1] {TCP} 147.75.197.195:80 -> <external-red-ip>:54568
>> 04/13/2020-08:04:46.309885  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>> [Priority: 1] {TCP} 128.153.145.19:80 -> <external-red-ip>:33618
>> 04/13/2020-08:04:46.439111  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>> [Priority: 1] {TCP} 208.85.242.118:80 -> <external-red-ip>:38642
>> 04/13/2020-08:05:16.368282  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>> [Priority: 1] {TCP} 208.85.242.118:80 -> <external-red-ip>:38670
>> 04/13/2020-08:05:46.156897  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>> [Priority: 1] {TCP} 128.135.235.254:80 -> <external-red-ip>:58208
>> 04/13/2020-08:05:46.221470  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>> [Priority: 1] {TCP} 147.75.197.195:80 -> <external-red-ip>:54640
>> 04/13/2020-08:05:46.271516  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>> [Priority: 1] {TCP} 128.153.145.19:80 -> <external-red-ip>:33686
>> 04/13/2020-08:05:46.378775  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>> [Priority: 1] {TCP} 208.85.242.118:80 -> <external-red-ip>:38710
>> 04/13/2020-08:06:16.188599  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>> [Priority: 1] {TCP} 68.235.39.83:80 -> <external-red-ip>:44386
>> 04/13/2020-08:06:16.289229  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>> [Priority: 1] {TCP} 104.148.30.241:80 -> <external-red-ip>:47918
>> 04/13/2020-08:06:16.359338  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>> [Priority: 1] {TCP} 173.44.32.10:80 -> <external-red-ip>:36728
>> 04/13/2020-08:06:16.392580  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>> [Priority: 1] {TCP} 104.219.172.11:80 -> <external-red-ip>:41940
>> 04/13/2020-08:06:46.298890  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>> [Priority: 1] {TCP} 198.82.152.116:80 -> <external-red-ip>:59288
>> 04/13/2020-08:06:46.360797  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>> [Priority: 1] {TCP} 173.44.32.10:80 -> <external-red-ip>:36788
>> 04/13/2020-08:06:46.393006  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>> [Priority: 1] {TCP} 131.225.105.75:80 -> <external-red-ip>:47520
>> 04/13/2020-08:07:16.199580  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>> [Priority: 1] {TCP} 68.235.39.83:80 -> <external-red-ip>:44510
>> 04/13/2020-08:07:16.207134  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>> [Priority: 1] {TCP} 128.135.235.254:80 -> <external-red-ip>:58508
>> 04/13/2020-08:07:16.300833  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>> [Priority: 1] {TCP} 198.82.152.116:80 -> <external-red-ip>:59354
>> 04/13/2020-08:07:16.316368  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>> [Priority: 1] {TCP} 104.148.30.241:80 -> <external-red-ip>:48046
>> 04/13/2020-08:07:46.222333  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>> [Priority: 1] {TCP} 131.225.105.75:80 -> <external-red-ip>:47622
>> 04/13/2020-08:07:46.403786  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>> [Priority: 1] {TCP} 104.219.172.11:80 -> <external-red-ip>:42106
>> 04/13/2020-08:08:16.214535  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>> [Priority: 1] {TCP} 68.235.39.83:80 -> <external-red-ip>:44578
>> 04/13/2020-08:08:16.283075  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>> [Priority: 1] {TCP} 128.135.235.254:80 -> <external-red-ip>:58578
>> 04/13/2020-08:08:16.389031  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>> [Priority: 1] {TCP} 173.44.32.10:80 -> <external-red-ip>:36922
>> 04/13/2020-08:08:16.413706  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>> [Priority: 1] {TCP} 104.219.172.11:80 -> <external-red-ip>:42134
>> 04/13/2020-08:08:46.530418  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>> [Priority: 1] {TCP} 198.82.152.116:80 -> <external-red-ip>:59724
>> 04/13/2020-08:08:46.539093  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>> [Priority: 1] {TCP} 104.148.30.241:80 -> <external-red-ip>:48416
>> 04/13/2020-08:36:58.061164  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>> [Priority: 1] {TCP} 64.250.112.70:80 -> <external-red-ip>:46694
>>
>> There are hundreds of entries.  I'm not clear on the structure of the
>> rule if this is an attack from the outside IP, like a DDos attach or if
>> this is someone surfing porn on the LAN.
>>
>> I need some assistance on how I can tell, what log files to look at, and
>> to know for sure if this is a security issue, someone looking at porn or
>> a false positive.  The IP address varies for a number of requests
>> starting on 4/13 at 8:03:03 AM, then on 4/14 nearly every entry goes to
>> one specific IP:
>>
>> 04/14/2020-08:25:20.419891  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>> [Priority: 1] {TCP} 204.99.128.20:80 -> <external-red-ip>:33796
>> 04/14/2020-08:25:20.494696  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>> [Priority: 1] {TCP} 104.251.122.5:80 -> <external-red-ip>:32924
>> 04/14/2020-08:25:25.979955  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>> [Priority: 1] {TCP} 72.5.72.15:80 -> <external-red-ip>:58870
>> 04/14/2020-08:25:50.411166  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>> [Priority: 1] {TCP} 65.19.65.9:80 -> <external-red-ip>:51840
>> 04/14/2020-08:38:57.554765  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>> [Priority: 1] {TCP} 192.229.210.142:80 -> <external-red-ip>:55564
>> 04/14/2020-08:39:17.119673  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>> [Priority: 1] {TCP} 192.229.210.142:80 -> <external-red-ip>:55618
>> 04/14/2020-08:54:33.299196  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>> [Priority: 1] {TCP} 192.229.210.142:80 -> <external-red-ip>:56122
>> 04/14/2020-09:09:53.058708  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>> [Priority: 1] {TCP} 192.229.210.142:80 -> <external-red-ip>:56582
>> 04/14/2020-09:54:33.724276  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>> [Priority: 1] {TCP} 192.229.210.142:80 -> <external-red-ip>:59182
>> 04/14/2020-10:10:09.686239  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>> [Priority: 1] {TCP} 192.229.210.142:80 -> <external-red-ip>:60316
>>
>> As an IT department of 1 I do not spend much time diving into these
>> rules so I am inexperienced in this area, with too much responsibility
>> and not enough time.
>>
>> What is the best way to proceed?
>>
>> Chris
>> _______________________________________________
>> Emerging-updates mailing list
>> Emerging-updates at lists.emergingthreats.net
>> https://lists.emergingthreats.net/mailman/listinfo/emerging-updates
>>
>
> --
> Christopher Wensink
> IS Administrator
> Five Star Plastics, Inc
> 1339 Continental Drive
> Eau Claire, WI 54701
> Office:  715-831-1682
> Mobile:  715-563-3112
> Fax:  715-831-6075cwensink at five-star-plastics.comwww.five-star-plastics.com
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-updates/attachments/20200420/a7e56b9a/attachment-0001.html>


More information about the Emerging-updates mailing list