615.txt

snort入侵检测规则文件2.4 Snort是众所周知的网络入侵检测工具

Rule:  

--

Sid:

615

--

Summary:

An external host has requested to start communications with your host on
port 1080.

--

Impact:

Network reconnaissance.

--

Detailed Information:

Improperly-configured SOCKS proxies can be abused to allow a hostile
user to launch attacks and make them appear to come from your site.

Additionally, if the proxy is behind a firewall or is a trusted host, it
can be used to gain further access into your network and other hosts.

--

Affected Systems:

Any system with a SOCKS proxy server installed.

--

Attack Scenarios:

Attacker utilizes your misconfigured proxy to anonymize their other
illegitimate activities or gain further access to your network.

--

Ease of Attack:

Trivial or extremely difficult, depending on proxy configuration.

--

False Positives:
Non-proxy applications running on port 1080, regardless of purpose, will
trigger this alert every time any session begins.

Ftp clients open a source tcp port greater than 1023 (an 'ephemeral' port).  If the 
client opens port 1080 for the data connection, this rule will be triggered by return
packets from the ftp server.  One way to cut down on these false
positives for this rule might be to preceed it with a pass rule for
'established' connections to 1080. This would only work with passive ftp
transactions, where the client initiates both control and data sessions. Normal ftp 
requires the server to initiate a connection to the client for data transfers after the client 
sets up a control session.

--

False Negatives:
None known.

--

Corrective Action:
Allow only internal users to connect to the proxy, or configure strong
access control.

--

Contributors:
Snort documentation contributed by Gene R Gomez (gene!AT!gomezbrothers!DOT!com)
Original Rule Writer Unknown
Sourcefire Research Team
Nigel Houghton <nigel.houghton@sourcefire.com>
False positive information contributed by jaffeld@duwamish.net

-- 

Additional References:

UnderNet:
http://help.undernet.org/proxyscan/


--