Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 1080 (msg:"SCAN Proxy attempt";flags:S; classtype:attempted-recon; sid:615; rev:1;) -- Sid: 615 -- Summary: Someone has scanned for the presence of a Proxy server -- Impact: Information Leak. -- Detailed Information: This signature indicates that a scan for a proxy server on port 1080 (most likely a SOCKS proxy server) has been carried out. Many IRC clients have the ability to use a SOCKS proxy server when connecting to an IRC network. This is particularly of use when a hacker needs to control a bot or zombie-channel to direct a DDOS. Use of the proxy server obfuscates the real source of any attacks. -- Attack Scenarios: Many hackers use open proxies to relay attacks in order to obfuscate the real source of their attack. -- Ease of Attack: Utilities and scripts are available that can be easily configured to relay their data through a SOCKS proxy server. -- False Positives: -- False Negatives: -- Corrective Action: Secure the proxy server from anonymous or public use. -- Contributors: -- Additional References: