[Snort-users] Proxy Scanner?
nigel.houghton at ...1935...
Fri Dec 20 08:07:14 EST 2002
Looks like a scan for open http proxies. Could be any number of scanning
tools. Could be any number of reasons for it, if you are running any of
these proxies I suggest setting up some restrictive ACLs or use your
firewall to deny un-authenticated traffic from outside your LAN to the
On Fri, 2002-12-20 at 09:29, Sylar, John wrote:
> Lately, I'm seeing this sort of scan alot, from assorted netblocks. Doesn't
> seem to correlate to the Incidents site.
> While the source port is not always 0, the destination ports are always the
> same, in the same order.
> Does anyone know what tool this might be? Or have some pointers to
> references for reading?
> Dec 19 18:39:14 their.i.p.addr:0 -> my.i.p.addr:1080 SYN ******S*
> Dec 19 18:39:14 their.i.p.addr:0 -> my.i.p.addr:3128 SYN ******S*
> Dec 19 18:39:14 their.i.p.addr:0 -> my.i.p.addr:8000 SYN ******S*
Proxy port can be used by any number of proxy servers.
> Dec 19 18:39:14 their.i.p.addr:0 -> my.i.p.addr:80 SYN ******S*
Standard http port
> Dec 19 18:39:14 their.i.p.addr:0 -> my.i.p.addr:8080 SYN ******S*
> Thanks and best regards,
You might find this link interesting too:
Nigel Houghton Security Engineer Sourcefire Inc.
More information about the Snort-users