[Dshield] Anonymizer?

Fri Aug 1 21:27:10 GMT 2008

The alert snip as it is posted, doesn't look like an anonymous proxy request to me, but looks as a part of a webpage (maybe a Javascript method?). Please post one full alert and/or the network capture for this alert ;)

Por la Seguridad de la Información
--------------------------------------------------------------
Manuel H. Santander Peláez
GIAC Certified Forensic Analyst (GCFA) 0148
GIAC Certified Intrusion Analyst (GCIA) 0864
GIAC Certified Firewall Analyst (GCFW) 2213
GIAC .NET (GNET) 031
Stay Sharp Program - Mastering Packet Analysis (SSP-MPA) 0136
Unidad de Soluciones de Infraestructura y Soporte de Servicios
Empresas Públicas de Medellín E.S.P.
e-mail: manuel.santander at epm.com.co<mailto:msantand at eeppm.com>
--------------------------------------------------------------

-----Mensaje original-----
De: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org] En nombre de Tom Fischer
Enviado el: viernes, 01 de agosto de 2008 01:03 p.m.
Para: list at lists.dshield.org
Asunto: [Dshield] Anonymizer?

   I had some p-rn alerts show up in my Snort log, and I'm trying to

figure out why my proxy server did not block the access. The proxy

server shows the accessed url as tbn0.google.com. The Snort alert shows

that url followed by a string of unsavory links. Am I right in

suspecting that this user is accessing an external proxy to anonymize

the traffic? Here is a sample of the alert info:

ttp://tbn0.google.com/images","1",[]);dyn.Img("http://www.jessicaalbasYY

YY.com/tag/tight-jeans/&h=745&w=490&sz=69&hl=en&start=74","","hxe5ocKZgf

h81M:"

   I apologies' for the brevity, I did not want to set off any filters.

_________________________________________

SANSFIRE !! The Internet Storm Center Conference

http://www.sans.org/sansfire08/