[Dshield] Anonymizer?

Mike Hale eyeronic.design at gmail.com
Fri Aug 1 21:43:59 GMT 2008 

It kinda functions as a proxy.

If you go to google images and search for Jessica Alba Tight Jeans and
click on an image, you'll set off an alert like the one above.

That's because that google site grabs the image and sends it through.

I wouldn't be worried about the proxy aspect, but more about what your
employee is doing searching for Jessica Alba pictures.  ;)

On Fri, Aug 1, 2008 at 2:27 PM, MANUEL HUMBERTO SANTANDER PELAEZ
<Manuel.Santander at epm.com.co> wrote:
> The alert snip as it is posted, doesn't look like an anonymous proxy request to me, but looks as a part of a webpage (maybe a Javascript method?). Please post one full alert and/or the network capture for this alert ;)
>
>
>
> Por la Seguridad de la Información
> --------------------------------------------------------------
> Manuel H. Santander Peláez
> GIAC Certified Forensic Analyst (GCFA) 0148
> GIAC Certified Intrusion Analyst (GCIA) 0864
> GIAC Certified Firewall Analyst (GCFW) 2213
> GIAC .NET (GNET) 031
> Stay Sharp Program - Mastering Packet Analysis (SSP-MPA) 0136
> Unidad de Soluciones de Infraestructura y Soporte de Servicios
> Empresas Públicas de Medellín E.S.P.
> e-mail: manuel.santander at epm.com.co<mailto:msantand at eeppm.com>
> --------------------------------------------------------------
>
>
>
>
>
>
> -----Mensaje original-----
> De: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org] En nombre de Tom Fischer
> Enviado el: viernes, 01 de agosto de 2008 01:03 p.m.
> Para: list at lists.dshield.org
> Asunto: [Dshield] Anonymizer?
>
>
>
>
>
>   I had some p-rn alerts show up in my Snort log, and I'm trying to
>
> figure out why my proxy server did not block the access. The proxy
>
> server shows the accessed url as tbn0.google.com. The Snort alert shows
>
> that url followed by a string of unsavory links. Am I right in
>
> suspecting that this user is accessing an external proxy to anonymize
>
> the traffic? Here is a sample of the alert info:
>
>
>
> ttp://tbn0.google.com/images","1",[]);dyn.Img("http://www.jessicaalbasYY
>
> YY.com/tag/tight-jeans/&h=745&w=490&sz=69&hl=en&start=74","","hxe5ocKZgf
>
> h81M:"
>
>
>
>   I apologies' for the brevity, I did not want to set off any filters.
>
> _________________________________________
>
> SANSFIRE !! The Internet Storm Center Conference
>
> http://www.sans.org/sansfire08/
>
>
> _________________________________________
> SANSFIRE !! The Internet Storm Center Conference
> http://www.sans.org/sansfire08/
>



-- 
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0

More information about the list mailing list