[Snort-users] Proxy scan app?

James Nonya slave_tothe_box at ...131...
Tue Jul 29 19:17:04 EDT 2003


Hey all!

Real quick...below is a proxy scan:


Jul 29 18:30:55 homebox kernel: New,invalid
TCP:IN=eth0 OUT=
MAC=00:60:08:16:39:30:00:08:20:cb:04:a8:08:00
SRC=66.111.60.170 DST=24.116.255.102 LEN=40 TOS=0x00
PREC=0x00 TTL=240 ID=37735 PROTO=TCP SPT=3603 DPT=6588
WINDOW=16384 RES=0x00 SYN URGP=0 

Jul 29 18:30:55 homebox kernel: New,invalid
TCP:IN=eth0 OUT=
MAC=00:60:08:16:39:30:00:08:20:cb:04:a8:08:00
SRC=66.111.60.170 DST=24.116.255.102 LEN=40 TOS=0x00
PREC=0x00 TTL=240 ID=9599 PROTO=TCP SPT=56814 DPT=4588
WINDOW=16384 RES=0x00 SYN URGP=0 

Jul 29 18:30:55 homebox kernel: New,invalid
TCP:IN=eth0 OUT=
MAC=00:60:08:16:39:30:00:08:20:cb:04:a8:08:00
SRC=66.111.60.170 DST=24.116.255.102 LEN=40 TOS=0x00
PREC=0x00 TTL=240 ID=36306 PROTO=TCP SPT=16254
DPT=8080 WINDOW=16384 RES=0x00 SYN URGP=0 

Jul 29 18:30:55 homebox kernel: New,invalid
TCP:IN=eth0 OUT=
MAC=00:60:08:16:39:30:00:08:20:cb:04:a8:08:00
SRC=66.111.60.170 DST=24.116.255.102 LEN=40 TOS=0x00
PREC=0x00 TTL=240 ID=12762 PROTO=TCP SPT=22996
DPT=3128 WINDOW=16384 RES=0x00 SYN URGP=0 

Jul 29 18:30:56 homebox snort: [1:1000003:1] AnalogX
Proxy Server Scan [Classification: information
gathering attempt] [Priority: 8]: {TCP}
66.111.60.170:3603 -> 24.116.255.102:6588

Jul 29 18:30:56 homebox snort: [1:620:3] SCAN Proxy
(8080) attempt [Classification: Attempted Information
Leak] [Priority: 2]: {TCP} 66.111.60.170:16254 ->
24.116.255.102:8080

Jul 29 18:30:56 homebox snort: [1:618:4] SCAN Squid
Proxy attempt [Classification: Attempted Information
Leak] [Priority: 2]: {TCP} 66.111.60.170:22996 ->
24.116.255.102:3128

Now, I made a rule for the AnalogX one, but the 4588
one I've never seen before.  Anyone have an idea of
what kind of proxy this is?  This things always scan
in groups of 3 and 4 ports, so I'm wondering if it's a
scanning application or something like that.  Thanks
all!

James


__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com




More information about the Snort-users mailing list