Snort mailing list archives

Re: porn.rules

From: Paul Schmehl <pauls () utdallas edu>
Date: Fri, 09 Nov 2007 11:43:54 -0600

--On Friday, November 09, 2007 09:29:58 -0500 
dhottinger () harrisonburg k12 va us wrote:


Quoting Joel Esler <joel.esler () sourcefire com>:

Either.

--
Joel Esler
Sent from the road.

On Nov 9, 2007, at 9:09 AM, dhottinger () harrisonburg k12 va us wrote:

Are the porn.rules flagged based on words typed in url's or search
strings?

--

Im seeing a connection to  PORN masturbation site.  However the source
address 74.205.54.243:80 doesnt resolve.  Does anyone know what this
address is?  dnsstuff.com says it belongs to rackspace.com, Im
thinking rackspace probably rents server space for domains?


[ Informations about 74.205.43.243 ]

 IP range     :    74.205.43.240 - 74.205.43.247
 Network name :    RSPC-119544-1177630982
 Infos        :    Answers in Genisis
 Infos        :    P.O. Box 510
 Infos        :    Hebron
 Infos        :    KY
 Infos        :    41048
 Country      :    United States (US)
 Abuse E-mail :    abuse () rackspace com
 Source       :    ARIN

The IP doesn't reverse.  Verisign is the SOA.  Port 80 *is* open.
# nmap 74.205.43.243

Starting Nmap 4.20 ( http://insecure.org ) at 2007-11-09 11:37 CST
Interesting ports on 74.205.43.243:
Not shown: 1692 filtered ports
PORT     STATE  SERVICE
21/tcp   open   ftp
22/tcp   closed ssh
80/tcp   open   http
443/tcp  open   https
3389/tcp open   ms-term-serv

-- 
Paul Schmehl (pauls () utdallas edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: porn.rules, (continued)
- Re: porn.rules rmkml (Nov 09)
- Re: porn.rules Joel Esler (Nov 09)
  - Re: porn.rules dhottinger (Nov 09)
    - Re: porn.rules Joel Esler (Nov 09)
    - Re: porn.rules Paul Melson (Nov 09)
    - Re: porn.rules dhottinger (Nov 09)
    - Re: porn.rules Paul Melson (Nov 09)
    - Re: porn.rules dhottinger (Nov 09)
    - Re: porn.rules Joel Esler (Nov 09)
    - Re: porn.rules David J. Bianco (Nov 09)
    - Re: porn.rules Paul Schmehl (Nov 09)
    - How much will a huge list of subnets to the frag3 preprocessor slow snort? Bachelor, Stephen A CTR USSOCOM HQ (Nov 09)
    - Re: How much will a huge list of subnets to the frag3preprocessor slow snort? Paul Melson (Nov 09)