[Snort-sigs] sid 615 description

Yaroslav S. Polyakov xenon at ...295...
Wed Jan 23 02:27:14 EST 2002


Hi!

Here is my first contribution to snort-sigs, so please check if I made
everything ok.
Awayting for your response.

===
# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id$
#
#

Rule:
alert tcp $EXTERNAL_NET any -> $HOME_NET 1080 (msg:"SCAN Proxy attempt";flags:S; classtype:attempted-recon; sid:615; rev:1;)


--

Sid: 615

--

Summary:
There is an attempt to connect to port 1080 of your server which is
often used for proxy.

--
Impact:
If your proxy misconfigured and not firewalled attacker can
use it as usual proxy or can access your firewalled/NATed hosts which is
inaccessible from outside but accessible for this proxy system.

--
Detailed Information:
Many misconfigured proxy servers allows requests from everywhere. There is
a risk that attacker will use your proxy for browsing internet
(including http attacks) or access other, non-http services like mail or IRC
or use it to access your firewalled and/or NATed network. e.g. request
http://192.168.0.1/index.html from your proxy if it has interface with
internal IP.

--
Attack Scenarios:
telnet proxy.tld 1080 or set it's address/port as proxy in favorite internet
browser.

--
Ease of Attack:
Simple, doesn't requires any strong technical skills from attacker.

--
False Positives:
Because of many misconfigured abused proxies, some IRC servers checks
if client have open proxy on his IP. e.g. http://help.undernet.org/proxyscan/

--
False Negatives:

--
Corrective Action:

If it's your proxy, firewall it or configure it not to server requests from
outside, according to your proxy software documentation.
--
Contributors:
===

---- xenon at ...295... ----
very special network services
-----------------------------





More information about the Snort-sigs mailing list