[Dshield] Anonymizer?
MANUEL HUMBERTO SANTANDER PELAEZ
Manuel.Santander at epm.com.co
Fri Aug 1 21:08:00 GMT 2008
Would you please post one entire alert? Seems to be that one is just a snip ...
Por la Seguridad de la Información
--------------------------------------------------------------
Manuel H. Santander Peláez
GIAC Certified Forensic Analyst (GCFA) 0148
GIAC Certified Intrusion Analyst (GCIA) 0864
GIAC Certified Firewall Analyst (GCFW) 2213
GIAC .NET (GNET) 031
Stay Sharp Program - Mastering Packet Analysis (SSP-MPA) 0136
Unidad de Soluciones de Infraestructura y Soporte de Servicios
Empresas Públicas de Medellín E.S.P.
e-mail: manuel.santander at epm.com.co<mailto:msantand at eeppm.com>
--------------------------------------------------------------
-----Mensaje original-----
De: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org] En nombre de Tom Fischer
Enviado el: viernes, 01 de agosto de 2008 01:03 p.m.
Para: list at lists.dshield.org
Asunto: [Dshield] Anonymizer?
I had some p-rn alerts show up in my Snort log, and I'm trying to
figure out why my proxy server did not block the access. The proxy
server shows the accessed url as tbn0.google.com. The Snort alert shows
that url followed by a string of unsavory links. Am I right in
suspecting that this user is accessing an external proxy to anonymize
the traffic? Here is a sample of the alert info:
ttp://tbn0.google.com/images","1",[]);dyn.Img("http://www.jessicaalbasYY
YY.com/tag/tight-jeans/&h=745&w=490&sz=69&hl=en&start=74","","hxe5ocKZgf
h81M:"
I apologies' for the brevity, I did not want to set off any filters.
_________________________________________
SANSFIRE !! The Internet Storm Center Conference
http://www.sans.org/sansfire08/
More information about the list
mailing list