• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 747
  • Last Modified:

SonicWall TZ200W Logs

03/03/2011 12:02:11.304      Alert      Intrusion Prevention      IPS Detection Alert: SOCIAL-NETWORKING Facebook -- Browsing Activity 1, SID: 2821, Priority: Low

Employee swears that he was not browsing FACEBOOK period.  What can cause this?
Could it simply be a link in a web page?  And advertisement?


0
kman48185
Asked:
kman48185
1 Solution
 
rawinnlnx9Commented:
If he has a facebook add-on in his browser or some other Facebook widget etc... that will cause this. The simplest thing to do is isolate the system and then see what causes that entry in the log...
0
 
akhalighiCommented:
Check his browser history . make sure he really didn't.
0
 
digitapCommented:
sounds as if you've already isolated the user, but certainly an advertisement can cause this. of course, the user could be lying as well. as akhalighi indicated, check their history.
0
Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

 
kman48185Author Commented:
Ok, I can check that, Does your opinion change any if, the browser was not being used at the time.  E.g. guy not in office at 7 AM but SonicWall logs shows entry.
0
 
digitapCommented:
hehehe...making this difficult, huh? well, my opinion then goes to malicious software on his workstation which may be accessing the internet. assuming, of course, they can prove they weren't at their desk at 7a, which i'm sure they weren't. we've all got better things to do than try to access facebook illegally from our workstations at 7a. might as well make the illegal website worth accessing if there's a possibility we'll get fired over it.

i'd scan the workstation with malwarebytes or similar.
0
 
digitapCommented:
interestingly enough, i was just looking through a viewpoint server that my laptop is connected to at a client site. i noticed that a website that i like to visit was listed, xkcd.com. this particular viewpoint report was for blocked sites and xkcd.com is categorized at adult/mature content. anyway, i'm certain that i didn't visit the site, i realized that my firefox browser has an RSS feed for this website. i'm sure that my browser tried to update the RSS feed and was blocked by the sonicwall creating blocked log entry.
0
 
ee_autoCommented:
Question PAQ'd and stored in the solution database.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now