[Snort-sigs] SID 615 contrib
gegomez at ...1889...
Mon Sep 22 06:58:42 EDT 2003
alert tcp $EXTERNAL_NET any -> $HOME_NET 1080 (msg:"SCAN SOCKS Proxy
attempt"; flags:S,12; reference:url,help.undernet.org/proxyscan/;
classtype:attempted-recon; sid:615; rev:4;)
An external host has requested to start communications with your host on
Improperly-configured SOCKS proxies can be abused to allow a hostile
user to launch attacks and make them appear to come from your site.
Additionally, if the proxy is behind a firewall or is a trusted host, it
can be used to gain further access into your network and other hosts.
Any system with a SOCKS proxy server installed.
Attacker utilizes your misconfigured proxy to anonymize their other
illegitimate activities or gain further access to your network.
Ease of Attack:
Trivial or extremely difficult, depending on proxy configuration.
Non-proxy applications running on port 1080, regardless of purpose, will
trigger this alert every time any session begins.
Allow only internal users to connect to the proxy, or configure strong
Gene R Gomez (gene!AT!gomezbrothers!DOT!com)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs