[Snort-sigs] Re: [Snort-users] Community Rule Update

Jason Haar Jason.Haar at ...651...
Sun Apr 3 15:34:21 EDT 2005


Alex Kirk wrote:

> Additionally, user Alexandru Ionica <gremlin at ...3039...> submitted a
> rule which looks for rogue proxy servers running in an organization's
> network. Anyone who wishes to submit rules may do so at
> http://www.snort.org/reg-bin/rulesubmit.cgi.

Hmm - where should bug reports for community rules go? :-)

I think that rule needs to be fleshed out. For one thing it'd trigger on
every proxy server you have, so maybe it should include a "var"
definition. Also it is specific to Squid - the following will also match
ISA and NetCache.

------------------- change ----------------
#Change the following VALID_PROXY_SERVERS to define the valid proxy
servers on your network,
#otherwise this will never trigger (e.g. "var VALID_PROXY_SERVERS
[1.2.3.4/32,1.2.4.44/32]")
var VALID_PROXY_SERVERS $HOME_NET
alert tcp !$VALID_PROXY_SERVERS any -> $EXTERNAL_NET any (msg:"COMMUNITY
WEB-MISC Proxy \
Server Access"; flow:established,from_server;
content:"Proxy-Connection"; nocase; content:"Via"; nocase; content:"HTTP";\
 nocase; content: !"ERR_ACCESS_DENIED"; nocase; logto: "proxy";
sid:100000132; rev:2;)
-------------------------------------------------

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1





More information about the Snort-sigs mailing list