[Snort-users] porn.rules

Paul Schmehl pauls at ...6838...
Fri Nov 9 12:43:54 EST 2007


--On Friday, November 09, 2007 09:29:58 -0500 
dhottinger at ...14237... wrote:

>
> Quoting Joel Esler <joel.esler at ...1935...>:
>
>> Either.
>>
>> --
>> Joel Esler
>> Sent from the road.
>>
>> On Nov 9, 2007, at 9:09 AM, dhottinger at ...14237... wrote:
>>
>>> Are the porn.rules flagged based on words typed in url's or search
>>> strings?
>>>
>>> --
> Im seeing a connection to  PORN masturbation site.  However the source
> address 74.205.54.243:80 doesnt resolve.  Does anyone know what this
> address is?  dnsstuff.com says it belongs to rackspace.com, Im
> thinking rackspace probably rents server space for domains?

[ Informations about 74.205.43.243 ]

 IP range     :    74.205.43.240 - 74.205.43.247
 Network name :    RSPC-119544-1177630982
 Infos        :    Answers in Genisis
 Infos        :    P.O. Box 510
 Infos        :    Hebron
 Infos        :    KY
 Infos        :    41048
 Country      :    United States (US)
 Abuse E-mail :    abuse at ...14239...
 Source       :    ARIN

The IP doesn't reverse.  Verisign is the SOA.  Port 80 *is* open.
# nmap 74.205.43.243

Starting Nmap 4.20 ( http://insecure.org ) at 2007-11-09 11:37 CST
Interesting ports on 74.205.43.243:
Not shown: 1692 filtered ports
PORT     STATE  SERVICE
21/tcp   open   ftp
22/tcp   closed ssh
80/tcp   open   http
443/tcp  open   https
3389/tcp open   ms-term-serv

-- 
Paul Schmehl (pauls at ...6838...)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/





More information about the Snort-users mailing list