[Snort-users] Proxy scan app?

Jon Hart warchild at ...8039...
Tue Jul 29 20:05:31 EDT 2003


On Tue, Jul 29, 2003 at 07:16:49PM -0700, James Nonya wrote:
> Hey all!
> 
> Real quick...below is a proxy scan:

<snip>

> Now, I made a rule for the AnalogX one, but the 4588
> one I've never seen before.  Anyone have an idea of
> what kind of proxy this is?  This things always scan
> in groups of 3 and 4 ports, so I'm wondering if it's a
> scanning application or something like that.  Thanks
> all!

I don't know of any application that can act like a proxy that sits on
port 4588.  However, many scanners (proxy or otherwise) I've seen in the
wild tend to not only hit common proxy ports (1080, 3128, 8080), but
also hit not-so-common variations like 8081, 4128, 8128, etc.  At least
one theory behind this is that if a particular ISP blocks common proxy
ports, tricky users will try and run proxies on slightly different
ports, and that is likely what the attackers are looking for.

If you can find out if they are looking for something in particular on
port 4588, then maybe a signature could be developed.  Otherwise, you
might just add 4588 to the list of commonly scanned proxy ports.

-jon




More information about the Snort-users mailing list