[Snort-users] Proxy question

Lay, James james.lay at ...15009...
Tue Nov 9 11:49:29 EST 2010


So I see a fair amount of:

 

11/09-09:42:53.902454  [**] [119:17:1] (http_inspect) UNAUTHORIZED PROXY
USE DETECTED [**] [Priority: 3] {TCP} 10.1.5.4:1105 -> 10.21.0.16:8080

 

My question is...why?  My home net is set at 10.0.0.0/8, so I suspect
I'm missing something else..here's some snort.conf detail:

 

var HTTP_SERVERS 10.21.0.16

portvar HTTP_PORTS
[80,1220,2301,3128,5080,7777,7779,8000,8008,8028,8080,8180,8888,9999]

 

preprocessor http_inspect_server: server default \

    chunk_length 500000 \

    server_flow_depth 0 \

    client_flow_depth 0 \

    post_depth 65495 \

        oversize_dir_length 1500 \

    max_header_length 4096 \

    max_headers 100 \

    ports { 80 1220 2301 3128 5080 7777 7779 8000 8008 8014 8028 8080
8180 8888 9999 52400 } \

    non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \

    enable_cookie \

    extended_response_inspection \

    inspect_gzip \

#    enable_xff \

    apache_whitespace no \

    ascii no \

    bare_byte no \

        directory no \

        double_decode no \

        iis_backslash no \

        iis_delimiter no \

        iis_unicode no \

        multi_slash no \

        non_strict \

        u_encode yes \

        webroot no

 

Any pointers would be excellent...thank you.

 

James Lay

IT Security Analyst

WinCo Foods

208-672-2014 Office

208-559-1855 Cell

650 N Armstrong Pl.

Boise, Idaho 83704

 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/ms-tnef
Size: 5519 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20101109/42dd0131/attachment.bin>


More information about the Snort-users mailing list