[Snort-sigs] Anonymous Proxy Server Detection

Kreimendahl, Chad J Chad.Kreimendahl at ...361...
Thu Mar 18 08:34:14 EST 2004

Depending on what hardware/software you use for URL filtering, you may
be able to just block the 'anonymizer' category within the filter.

BlueCoat's Proxy and NetApp's NetCache Proxy both have filtering
software built in to allow for this... In my past experience with these,
they work well...  However, some nifty anonymizer software now will
connect out very commonly open outbound ports (ssh, ftp, etc).  Any rule
you write would likely have to watch every ounce of traffic... 

If it's catching people you want... Check google for anonymizers and
just look for syn packets to them.

alert tcp $INTERNAL_NETS :1024 > $ANONYMIZER_NETS any (msg:"POLICY
Anonymizer Monkey"; flags:S,12; )

Of course, I've also seen anonymizers that emulate TCP through UDP or
ICMP simply for the purposes of getting around stuff like this.  Though,
those were made by very crafty/sneaky people, and I don't think they're
publicly available.

-----Original Message-----
From: eric.ferguson at ...2322... [mailto:eric.ferguson at ...2322...]

Sent: Wednesday, March 17, 2004 4:30 PM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] Anonymous Proxy Server Detection

Anyone have a method to detect when anonymous proxies are being used?  I
am in a school envrioment and kids are bypassing our URL filtering by
either a)using an anonymous proxy configured via the Internet browser or
b)using a CGI on an anonymous proxy server.  Any help would be GREATLY


Eric Ferguson

This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list