RE: Investigation- Web pages visited

From: David Gillett (gillettdavid_at_fhda.edu)
Date: 11/02/05

  • Next message: Herbold, John W.: "RE: Why NOT to disable Real Time Antivirus on Servers" 
    To: "'Steve Barron'" <thurgoodj187@hotmail.com>, <security-basics@securityfocus.com>
Date: Wed, 2 Nov 2005 14:19:15 -0800

      It's really easy for multiple sites to be hosted on a single
    server, so the IP address is inadequate for this. If I see
    suspicious activity like this, I look inside the HTTP "GET"
    header to find the site name.
      You *might* be able to make a pretty good guess by logging
    DNS resolutions, too....

    David Gillett
     

    > -----Original Message-----
    > From: Steve Barron [mailto:thurgoodj187@hotmail.com]
    > Sent: Wednesday, November 02, 2005 11:09 AM
    > To: security-basics@securityfocus.com
    > Subject: Investigation- Web pages visited
    >
    > Hi
    >
    > I am trying to investigate some possible corporate policy
    > violations, mostly involving porn. My IDS matches rules for
    > certain criteria and looks for banned words in html. When I
    > get the ip, i can query it, but most of the time I get info
    > about a hosting provider. When I attempt to access the ip
    > http://155.X.X.X i get either some generic page or a 404
    > error. Is there any way to find out what sites are hosted at
    > a given IP? My logs have not been much help for this.
    >
    > Thanks
    >
    > Steve
    >
    >

  • Next message: Herbold, John W.: "RE: Why NOT to disable Real Time Antivirus on Servers"
    Loading