[Snort-users] Configuration HELP! (understanding alerts and proxies)

matt mkettler at ...4108...
Wed Jun 12 14:07:02 EDT 2002

This indicates that the machine xx.xx.xx.243 contacted (or attempted to at 
least) a socks proxy server on the xx.xx.xx.77 machine.


If your network is set up such that you use a proxy server for your 
internet connection.. well.. then yes.. you've detected something normal. 
This kind of connection is generally only of concern when someone outside 
your network tries to connect to a proxy server inside it.

Correct your definition of HOME_NET to only include machines under your 
control, and exclude those owned by your ISP to prevent such false alarms. 
Or configure EXTERNAL_NET to be !$HOME_NET instead of any.

At 10:18 AM 6/12/2002 -1000, Jason Martin wrote:
>Configuration:  Snort WIN32 1.8 port on a Win2k Pro.
>Running snort from the command line:
>Snort -dev -c snort.conf
>Below is a snippet of my config file.
>I tried to set my variables so that only my PC would be considered "home"
>and snort would treat all other packets as being external.  However, Snort
>is not logging IDS alerts except for activity from my machine (var
>HOME_NET).  If I scan Snort machine from a test machine it detects nothing.
>As soon as I scan the test machine with my Snort machine, Snort lights up.
>To alleviate this problem I placed my IP address in the preprocessor
>portscan-ignorehosts section, that didn't work either.  It is still alarming
>off of traffic sent from my PC.
>I must have mis-configured something and was hoping someone could shed some
>light on the situation.
>I've also noticed that any trigger events that do happen to be logged, all
>show traffic flow coming from my machine.
>**] [1:615:3] SCAN SOCKS Proxy attempt [**]
>[Classification: Attempted Information Leak] [Priority: 2]
>06/10-11:40:24.538093 x.x.x.243:1282 -> x.x.x.77:1080
>TCP TTL:128 TOS:0x0 ID:22013 IpLen:20 DgmLen:48 DF
>******S* Seq: 0xDA7C045C  Ack: 0x0  Win: 0x4000  TcpLen: 28
>TCP Options (4) => MSS: 1460 NOP NOP SackOK
>[Xref => http://help.undernet.org/proxyscan/
><http://help.undernet.org/proxyscan/> ]
>The x.x.x.77 machine is the machine that was scanning me, but the traffic
>flow shows my machine responding to the proxy scan, it did not create an
>event showing a scan coming from the scanning machine. When I look at this,
>it makes me think I was scanning x.x.x.77. Or, am I just misunderstanding
>the log?
>Thanks in advance for any help.
>var HOME_NET x.x.x.243/32
>var RULE_PATH /rules
>preprocessor frag2
>preprocessor stream4: detect_scans
>preprocessor stream4_reassemble
>preprocessor http_decode: 80 -unicode -cginull
>preprocessor rpc_decode: 111 32771
>preprocessor bo: -nobrute
>preprocessor telnet_decode
>preprocessor portscan: $EXTERNAL_NET 2 1 portscan.log
>preprocessor portscan-ignorehosts: $HOME_NET
>Confidentiality Notice:
>This email message, including any attachments, is for the sole use of
>the intended recipient(s) and may contain confidential and privileged
>information.  Any unauthorized review, use, disclosure, or distribution
>is prohibited.  If you are not the intended recipient, please contact
>the sender by reply e-mail and destroy all copies of the original message.
>Sponsored by:
>ThinkGeek at http://www.ThinkGeek.com/
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:

More information about the Snort-users mailing list