Security Basics mailing list archives

RE: Investigation- Web pages visited

From: "David Gillett" <gillettdavid () fhda edu>
Date: Wed, 2 Nov 2005 14:19:15 -0800

  It's really easy for multiple sites to be hosted on a single
server, so the IP address is inadequate for this.  If I see
suspicious activity like this, I look inside the HTTP "GET"
header to find the site name.
  You *might* be able to make a pretty good guess by logging
DNS resolutions, too....

David Gillett

-----Original Message-----
From: Steve Barron [mailto:thurgoodj187 () hotmail com] 
Sent: Wednesday, November 02, 2005 11:09 AM
To: security-basics () securityfocus com
Subject: Investigation- Web pages visited

Hi

I am trying to investigate some possible corporate policy 
violations, mostly involving porn.  My IDS matches rules for 
certain criteria and looks for banned words in html.  When I 
get the ip, i can query it, but most of the time I get info 
about a hosting provider.  When I attempt to access the ip 
http://155.X.X.X i get either some generic page or a 404 
error.  Is there any way to find out what sites are hosted at 
a given IP?  My logs have not been much help for this.

Thanks

Steve

Current thread:

Investigation- Web pages visited Steve Barron (Nov 02)
- Re: Investigation- Web pages visited Bryan S. Sampsel (Nov 03)
- Re: Investigation- Web pages visited Saqib Ali (Nov 03)
- Re: Investigation- Web pages visited Brian Loe (Nov 03)
- RE: Investigation- Web pages visited David Gillett (Nov 03)
  - Re: Investigation- Web pages visited Austin Murkland (Nov 04)
- Re: Investigation- Web pages visited Mark Owen (Nov 07)