[Snort-sigs] SID 615 contrib

Gene Gomez gegomez at ...1889...
Mon Sep 22 06:58:42 EDT 2003


Rule:  

alert tcp $EXTERNAL_NET any -> $HOME_NET 1080 (msg:"SCAN SOCKS Proxy
attempt"; flags:S,12; reference:url,help.undernet.org/proxyscan/;
classtype:attempted-recon; sid:615; rev:4;) 

--

Sid:

615

--

Summary:

An external host has requested to start communications with your host on
port 1080.

--

Impact:

Network reconnaissance.

--

Detailed Information:

Improperly-configured SOCKS proxies can be abused to allow a hostile
user to launch attacks and make them appear to come from your site.

Additionally, if the proxy is behind a firewall or is a trusted host, it
can be used to gain further access into your network and other hosts.

--

Affected Systems:

Any system with a SOCKS proxy server installed.

--

Attack Scenarios:

Attacker utilizes your misconfigured proxy to anonymize their other
illegitimate activities or gain further access to your network.

--

Ease of Attack:

Trivial or extremely difficult, depending on proxy configuration.

--

False Positives:

Non-proxy applications running on port 1080, regardless of purpose, will
trigger this alert every time any session begins.

--

False Negatives:

None known.

--

Corrective Action:

Allow only internal users to connect to the proxy, or configure strong
access control.

--

Contributors:

Gene R Gomez (gene!AT!gomezbrothers!DOT!com)

-- 

Additional References:

url,help.undernet.org/proxyscan/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030922/8c3657cb/attachment.html>


More information about the Snort-sigs mailing list