Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
GEN:SID | 1:615 |
Message | SCAN SOCKS Proxy attempt |
Summary | An external host has requested to start communications with your host on port 1080. |
Impact | Network reconnaissance. |
Detailed Information | Improperly-configured SOCKS proxies can be abused to allow a hostile user to launch attacks and make them appear to come from your site. Additionally, if the proxy is behind a firewall or is a trusted host, it can be used to gain further access into your network and other hosts. |
Affected Systems | Any system with a SOCKS proxy server installed. |
Attack Scenarios | Attacker utilizes your misconfigured proxy to anonymize their other illegitimate activities or gain further access to your network. |
Ease of Attack | Trivial or extremely difficult, depending on proxy configuration. |
Corrective Action | Allow only internal users to connect to the proxy, or configure strong access control. |
Additional References | UnderNet: http://help.undernet.org/proxyscan/ |
Rule References | url: help.undernet.org/proxyscan/ |
--
DID:715695
--
http://www.aanval.com/