[Snort-sigs] SID 615 contrib

Gene Gomez gegomez at ...1889...
Mon Sep 22 06:58:42 EDT 2003


alert tcp $EXTERNAL_NET any -> $HOME_NET 1080 (msg:"SCAN SOCKS Proxy
attempt"; flags:S,12; reference:url,help.undernet.org/proxyscan/;
classtype:attempted-recon; sid:615; rev:4;) 






An external host has requested to start communications with your host on
port 1080.



Network reconnaissance.


Detailed Information:

Improperly-configured SOCKS proxies can be abused to allow a hostile
user to launch attacks and make them appear to come from your site.

Additionally, if the proxy is behind a firewall or is a trusted host, it
can be used to gain further access into your network and other hosts.


Affected Systems:

Any system with a SOCKS proxy server installed.


Attack Scenarios:

Attacker utilizes your misconfigured proxy to anonymize their other
illegitimate activities or gain further access to your network.


Ease of Attack:

Trivial or extremely difficult, depending on proxy configuration.


False Positives:

Non-proxy applications running on port 1080, regardless of purpose, will
trigger this alert every time any session begins.


False Negatives:

None known.


Corrective Action:

Allow only internal users to connect to the proxy, or configure strong
access control.



Gene R Gomez (gene!AT!gomezbrothers!DOT!com)


Additional References:


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030922/8c3657cb/attachment.html>

More information about the Snort-sigs mailing list