[Emerging-updates] ET INAPPROPRIATE Likely Porn Rule

Jason Williams jwilliams at emergingthreats.net
Mon Apr 20 12:34:25 HDT 2020


Looking at this https://forum.ipfire.org/viewtopic.php?t=22693 it would
appear that support for eve may not be a part of the IPfire deployment. I
haven't used it personally, so i am not certain how accurate this is.

On Mon, Apr 20, 2020 at 2:15 PM Christopher Wensink <
cwensink at five-star-plastics.com> wrote:

>
> I have swatch installed and when I search for eve.json I'm not finding
> anything.  I am using suricata.
>
> Am I missing something?
> On 4/20/2020 3:11 PM, Jason Williams wrote:
>
> If you're using Suricata, there's the eve.json file that by default will
> contain everything. If you're using snort, it depends what outputs you have
> enabled.
>
> On Mon, Apr 20, 2020 at 1:33 PM Christopher Wensink <
> cwensink at five-star-plastics.com> wrote:
>
>> Thanks Jason,
>>
>> I don't suppose there's a log file somewhere that would list out entries
>> together?  Otherwise I'll just have to search fast.log and the other logs
>> to manually line up the timing.
>>
>> Chris
>>
>> On 4/20/2020 2:09 PM, Jason Williams wrote:
>>
>> Chris,
>>
>> This rule is a *default disabled* ET OPEN rule that is really just a
>> regex that looks at a bunch of "porn-centric" phrases and words that would
>> be present in the content of a webpage as it is returned to a client on the
>> monitored network.
>>
>> If you wanted to know more about the hits, you would have to investigate
>> further into the logs that may or may not be generated on your firewall to
>> observe what the URL is that is being requested and make a determination on
>> next steps. If you wanted it to stop firing, it could be suppressed by
>> disabling the rule as is default in the ET OPEN ruleset.
>>
>> My suspicion is that these may be False Positives as many of the IPs I
>> looked at are hosting linux distribution files, but you never know until
>> you find the actual url.
>>
>> Thanks,
>>
>> Jason
>>
>> On Mon, Apr 20, 2020 at 12:33 PM Christopher Wensink <
>> cwensink at five-star-plastics.com> wrote:
>>
>>> On our Company IPFire main router I am seeing entries in fast.log since
>>> 4/13 that look like this :
>>>
>>> 04/13/2020-08:03:03.542262  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>>> [Priority: 1] {TCP} 128.135.235.254:80 -> <external-red-ip>:57834
>>> 04/13/2020-08:03:06.605389  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>>> [Priority: 1] {TCP} 147.75.197.195:80 -> <external-red-ip>:54242
>>> 04/13/2020-08:03:09.711630  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>>> [Priority: 1] {TCP} 104.148.30.241:80 -> <external-red-ip>:47376
>>> 04/13/2020-08:03:10.915841  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>>> [Priority: 1] {TCP} 147.75.197.195:80 -> <external-red-ip>:54244
>>> 04/13/2020-08:03:39.746609  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>>> [Priority: 1] {TCP} 128.153.145.19:80 -> <external-red-ip>:33382
>>> 04/13/2020-08:03:41.763956  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>>> [Priority: 1] {TCP} 68.235.39.83:80 -> <external-red-ip>:44004
>>> 04/13/2020-08:03:45.085779  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>>> [Priority: 1] {TCP} 173.44.32.10:80 -> <external-red-ip>:36346
>>> 04/13/2020-08:03:46.315131  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>>> [Priority: 1] {TCP} 104.219.172.11:80 -> <external-red-ip>:41564
>>> 04/13/2020-08:04:12.239150  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>>> [Priority: 1] {TCP} 198.82.152.116:80 -> <external-red-ip>:58932
>>> 04/13/2020-08:04:15.114494  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>>> [Priority: 1] {TCP} 131.225.105.75:80 -> <external-red-ip>:47166
>>> 04/13/2020-08:04:15.381208  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>>> [Priority: 1] {TCP} 208.85.242.118:80 -> <external-red-ip>:38596
>>> 04/13/2020-08:04:16.224797  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>>> [Priority: 1] {TCP} 128.153.145.19:80 -> <external-red-ip>:33578
>>> 04/13/2020-08:04:42.081758  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>>> [Priority: 1] {TCP} 131.225.105.75:80 -> <external-red-ip>:47204
>>> 04/13/2020-08:04:45.278575  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>>> [Priority: 1] {TCP} 147.75.197.195:80 -> <external-red-ip>:54568
>>> 04/13/2020-08:04:46.309885  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>>> [Priority: 1] {TCP} 128.153.145.19:80 -> <external-red-ip>:33618
>>> 04/13/2020-08:04:46.439111  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>>> [Priority: 1] {TCP} 208.85.242.118:80 -> <external-red-ip>:38642
>>> 04/13/2020-08:05:16.368282  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>>> [Priority: 1] {TCP} 208.85.242.118:80 -> <external-red-ip>:38670
>>> 04/13/2020-08:05:46.156897  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>>> [Priority: 1] {TCP} 128.135.235.254:80 -> <external-red-ip>:58208
>>> 04/13/2020-08:05:46.221470  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>>> [Priority: 1] {TCP} 147.75.197.195:80 -> <external-red-ip>:54640
>>> 04/13/2020-08:05:46.271516  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>>> [Priority: 1] {TCP} 128.153.145.19:80 -> <external-red-ip>:33686
>>> 04/13/2020-08:05:46.378775  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>>> [Priority: 1] {TCP} 208.85.242.118:80 -> <external-red-ip>:38710
>>> 04/13/2020-08:06:16.188599  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>>> [Priority: 1] {TCP} 68.235.39.83:80 -> <external-red-ip>:44386
>>> 04/13/2020-08:06:16.289229  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>>> [Priority: 1] {TCP} 104.148.30.241:80 -> <external-red-ip>:47918
>>> 04/13/2020-08:06:16.359338  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>>> [Priority: 1] {TCP} 173.44.32.10:80 -> <external-red-ip>:36728
>>> 04/13/2020-08:06:16.392580  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>>> [Priority: 1] {TCP} 104.219.172.11:80 -> <external-red-ip>:41940
>>> 04/13/2020-08:06:46.298890  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>>> [Priority: 1] {TCP} 198.82.152.116:80 -> <external-red-ip>:59288
>>> 04/13/2020-08:06:46.360797  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>>> [Priority: 1] {TCP} 173.44.32.10:80 -> <external-red-ip>:36788
>>> 04/13/2020-08:06:46.393006  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>>> [Priority: 1] {TCP} 131.225.105.75:80 -> <external-red-ip>:47520
>>> 04/13/2020-08:07:16.199580  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>>> [Priority: 1] {TCP} 68.235.39.83:80 -> <external-red-ip>:44510
>>> 04/13/2020-08:07:16.207134  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>>> [Priority: 1] {TCP} 128.135.235.254:80 -> <external-red-ip>:58508
>>> 04/13/2020-08:07:16.300833  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>>> [Priority: 1] {TCP} 198.82.152.116:80 -> <external-red-ip>:59354
>>> 04/13/2020-08:07:16.316368  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>>> [Priority: 1] {TCP} 104.148.30.241:80 -> <external-red-ip>:48046
>>> 04/13/2020-08:07:46.222333  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>>> [Priority: 1] {TCP} 131.225.105.75:80 -> <external-red-ip>:47622
>>> 04/13/2020-08:07:46.403786  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>>> [Priority: 1] {TCP} 104.219.172.11:80 -> <external-red-ip>:42106
>>> 04/13/2020-08:08:16.214535  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>>> [Priority: 1] {TCP} 68.235.39.83:80 -> <external-red-ip>:44578
>>> 04/13/2020-08:08:16.283075  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>>> [Priority: 1] {TCP} 128.135.235.254:80 -> <external-red-ip>:58578
>>> 04/13/2020-08:08:16.389031  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>>> [Priority: 1] {TCP} 173.44.32.10:80 -> <external-red-ip>:36922
>>> 04/13/2020-08:08:16.413706  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>>> [Priority: 1] {TCP} 104.219.172.11:80 -> <external-red-ip>:42134
>>> 04/13/2020-08:08:46.530418  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>>> [Priority: 1] {TCP} 198.82.152.116:80 -> <external-red-ip>:59724
>>> 04/13/2020-08:08:46.539093  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>>> [Priority: 1] {TCP} 104.148.30.241:80 -> <external-red-ip>:48416
>>> 04/13/2020-08:36:58.061164  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>>> [Priority: 1] {TCP} 64.250.112.70:80 -> <external-red-ip>:46694
>>>
>>> There are hundreds of entries.  I'm not clear on the structure of the
>>> rule if this is an attack from the outside IP, like a DDos attach or if
>>> this is someone surfing porn on the LAN.
>>>
>>> I need some assistance on how I can tell, what log files to look at, and
>>> to know for sure if this is a security issue, someone looking at porn or
>>> a false positive.  The IP address varies for a number of requests
>>> starting on 4/13 at 8:03:03 AM, then on 4/14 nearly every entry goes to
>>> one specific IP:
>>>
>>> 04/14/2020-08:25:20.419891  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>>> [Priority: 1] {TCP} 204.99.128.20:80 -> <external-red-ip>:33796
>>> 04/14/2020-08:25:20.494696  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>>> [Priority: 1] {TCP} 104.251.122.5:80 -> <external-red-ip>:32924
>>> 04/14/2020-08:25:25.979955  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>>> [Priority: 1] {TCP} 72.5.72.15:80 -> <external-red-ip>:58870
>>> 04/14/2020-08:25:50.411166  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>>> [Priority: 1] {TCP} 65.19.65.9:80 -> <external-red-ip>:51840
>>> 04/14/2020-08:38:57.554765  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>>> [Priority: 1] {TCP} 192.229.210.142:80 -> <external-red-ip>:55564
>>> 04/14/2020-08:39:17.119673  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>>> [Priority: 1] {TCP} 192.229.210.142:80 -> <external-red-ip>:55618
>>> 04/14/2020-08:54:33.299196  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>>> [Priority: 1] {TCP} 192.229.210.142:80 -> <external-red-ip>:56122
>>> 04/14/2020-09:09:53.058708  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>>> [Priority: 1] {TCP} 192.229.210.142:80 -> <external-red-ip>:56582
>>> 04/14/2020-09:54:33.724276  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>>> [Priority: 1] {TCP} 192.229.210.142:80 -> <external-red-ip>:59182
>>> 04/14/2020-10:10:09.686239  [Drop] [**] [1:2001608:9] ET INAPPROPRIATE
>>> Likely Porn [**] [Classification: Potential Corporate Privacy Violation]
>>> [Priority: 1] {TCP} 192.229.210.142:80 -> <external-red-ip>:60316
>>>
>>> As an IT department of 1 I do not spend much time diving into these
>>> rules so I am inexperienced in this area, with too much responsibility
>>> and not enough time.
>>>
>>> What is the best way to proceed?
>>>
>>> Chris
>>> _______________________________________________
>>> Emerging-updates mailing list
>>> Emerging-updates at lists.emergingthreats.net
>>> https://lists.emergingthreats.net/mailman/listinfo/emerging-updates
>>>
>>
>> --
>> Christopher Wensink
>> IS Administrator
>> Five Star Plastics, Inc
>> 1339 Continental Drive
>> Eau Claire, WI 54701
>> Office:  715-831-1682
>> Mobile:  715-563-3112
>> Fax:  715-831-6075cwensink at five-star-plastics.comwww.five-star-plastics.com
>>
>>
> --
> Christopher Wensink
> IS Administrator
> Five Star Plastics, Inc
> 1339 Continental Drive
> Eau Claire, WI 54701
> Office:  715-831-1682
> Mobile:  715-563-3112
> Fax:  715-831-6075cwensink at five-star-plastics.comwww.five-star-plastics.com
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-updates/attachments/20200420/e599f4ab/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fbdlcbhjbjfdigen.png
Type: image/png
Size: 30457 bytes
Desc: not available
URL: <http://lists.emergingthreats.net/pipermail/emerging-updates/attachments/20200420/e599f4ab/attachment-0001.png>


More information about the Emerging-updates mailing list