[Snort-sigs] sid 615 description
Yaroslav S. Polyakov
xenon at ...295...
Wed Jan 23 02:27:14 EST 2002
Here is my first contribution to snort-sigs, so please check if I made
Awayting for your response.
# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others. References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
alert tcp $EXTERNAL_NET any -> $HOME_NET 1080 (msg:"SCAN Proxy attempt";flags:S; classtype:attempted-recon; sid:615; rev:1;)
There is an attempt to connect to port 1080 of your server which is
often used for proxy.
If your proxy misconfigured and not firewalled attacker can
use it as usual proxy or can access your firewalled/NATed hosts which is
inaccessible from outside but accessible for this proxy system.
Many misconfigured proxy servers allows requests from everywhere. There is
a risk that attacker will use your proxy for browsing internet
(including http attacks) or access other, non-http services like mail or IRC
or use it to access your firewalled and/or NATed network. e.g. request
http://192.168.0.1/index.html from your proxy if it has interface with
telnet proxy.tld 1080 or set it's address/port as proxy in favorite internet
Ease of Attack:
Simple, doesn't requires any strong technical skills from attacker.
Because of many misconfigured abused proxies, some IRC servers checks
if client have open proxy on his IP. e.g. http://help.undernet.org/proxyscan/
If it's your proxy, firewall it or configure it not to server requests from
outside, according to your proxy software documentation.
---- xenon at ...295... ----
very special network services
More information about the Snort-sigs