[Snort-users] SQUID scan proxy attempt

Wally Bedford wbedford at ...4171...
Tue Feb 24 16:03:05 EST 2004


-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Fabio
Viero
Sent: Saturday, February 21, 2004 5:42 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] SQUID scan proxy attempt

Hi

I'm new to snort and i had setup a very simple test configuration. In
short, i run squid on 192.168.0.1 (and apache, snort with acid and so
on...) and i have a win98(192.168.0.2) client that access the internet
via this proxy server (192.168.0.1). Snort is detecting this access
(from 192.168.0.2 to 192.168.0.1) as a "SCAN squid proxy attempt". We
know it's not what's really happening. The server 192.168.0.1 has no
firewall rules. The only access control is done with squid.

Could anyone give an insight about this problem?

Thanks in advance to anyone of you.



Take a look at the automatic proxy configuration in the IE properties.
If it is checked, it may be your problem.

If this is garden-variety LAN you are working with, there is not much
sense in running that rule on the inside interface.

HTH,
Wally





More information about the Snort-users mailing list