[Snort-users] PLEASE CC ME

Sean Lazar slazar at ...9944...
Sat Nov 8 15:09:09 EST 2003


What port does your proxy run on? Is it 8080?

The rule is:
alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SCAN Proxy \(8080\)
attempt"; flags:S,12; classtype:attempted-recon; sid:620; rev:3;)
http://www.snort.org/snort-db/sid.html?sid=620

This rule, if I am reading it right, will trigger on any connection to 8080
in your home net. This one gets alot of false positives probably because
8080 is a popular port.

Nothing to worry about, just turn off the rule.

Sean
----- Original Message ----- 
From: "Stephan Weaver" <stephanweaver at ...125...>
To: <snort-users at lists.sourceforge.net>
Sent: Thursday, November 06, 2003 12:41 PM
Subject: [Snort-users] PLEASE CC ME


> Hello gooday list,
> I am not on the list so can you guys please CC me at
> stephanweaver at ...125...
>
>
> Here goes....
> I am having a problem
>
> i run snort of the same machine as my proxy server
> defined home net variable as 192.168.0.0/24.
> clients using the proxy server are logged in snort as follows...
>
> [**] [1:620:3] SCAN Proxy (8080) attempt [**]
> [Classification: Attempted Information Leak] [Priority: 2]
> 11/06-16:40:07.970541 192.168.0.9:1117 -> 192.168.0.200:8080
> TCP TTL:128 TOS:0x0 ID:41741 IpLen:20 DgmLen:48 DF
> ******S* Seq: 0x7C3CD1  Ack: 0x0  Win: 0x2000  TcpLen: 28
> TCP Options (4) => MSS: 1460 NOP NOP SackOK
>
> This is not supposed to be happening.
>
> Thanks in Advance
> Stephan Weaver
>
> _________________________________________________________________
> Add photos to your e-mail with MSN 8. Get 2 months FREE*.
> http://join.msn.com/?page=features/featuredemail
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: SF.net Giveback Program.
> Does SourceForge.net help you be more productive?  Does it
> help you create better code?   SHARE THE LOVE, and help us help
> YOU!  Click Here: http://sourceforge.net/donate/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>





More information about the Snort-users mailing list