[Snort-sigs] sid 615 description

Yaroslav S. Polyakov xenon at ...295...
Wed Jan 23 02:27:14 EST 2002


Here is my first contribution to snort-sigs, so please check if I made
everything ok.
Awayting for your response.

# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id$

alert tcp $EXTERNAL_NET any -> $HOME_NET 1080 (msg:"SCAN Proxy attempt";flags:S; classtype:attempted-recon; sid:615; rev:1;)


Sid: 615


There is an attempt to connect to port 1080 of your server which is
often used for proxy.

If your proxy misconfigured and not firewalled attacker can
use it as usual proxy or can access your firewalled/NATed hosts which is
inaccessible from outside but accessible for this proxy system.

Detailed Information:
Many misconfigured proxy servers allows requests from everywhere. There is
a risk that attacker will use your proxy for browsing internet
(including http attacks) or access other, non-http services like mail or IRC
or use it to access your firewalled and/or NATed network. e.g. request from your proxy if it has interface with
internal IP.

Attack Scenarios:
telnet proxy.tld 1080 or set it's address/port as proxy in favorite internet

Ease of Attack:
Simple, doesn't requires any strong technical skills from attacker.

False Positives:
Because of many misconfigured abused proxies, some IRC servers checks
if client have open proxy on his IP. e.g. http://help.undernet.org/proxyscan/

False Negatives:

Corrective Action:

If it's your proxy, firewall it or configure it not to server requests from
outside, according to your proxy software documentation.

---- xenon at ...295... ----
very special network services

More information about the Snort-sigs mailing list