Rule:  alert tcp $EXTERNAL_NET any -> $HOME_NET 1080 (msg:"SCAN Proxy attempt";flags:S; classtype:attempted-recon; sid:615; rev:1;) 

--

Sid: 615

--

Summary: Someone has scanned for the presence of a Proxy server

--
Impact: Information Leak.

--
Detailed Information:  This signature indicates that a scan for a proxy server on port 1080 (most likely a SOCKS proxy server) has been carried out.  Many IRC clients have the ability to use a SOCKS proxy server when connecting to an IRC network.  This is particularly of use when a hacker needs to control a bot or zombie-channel to direct a DDOS.  Use of the proxy server obfuscates the real source of any attacks.

--
Attack Scenarios:  Many hackers use open proxies to relay attacks in order to obfuscate the real source of their attack.

--
Ease of Attack:  Utilities and scripts are available that can be easily configured to relay their data through a SOCKS proxy server.

--
False Positives: 

--
False Negatives:

--
Corrective Action: Secure the proxy server from anonymous or public use.

--
Contributors:

--
Additional References: