Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Proxy scan app?

From: James Nonya <slave_tothe_box () yahoo com>
Date: Tue, 29 Jul 2003 19:16:49 -0700 (PDT)
Hey all!

Real quick...below is a proxy scan:


Jul 29 18:30:55 homebox kernel: New,invalid
TCP:IN=eth0 OUT=
MAC=00:60:08:16:39:30:00:08:20:cb:04:a8:08:00
SRC=66.111.60.170 DST=24.116.255.102 LEN=40 TOS=0x00
PREC=0x00 TTL=240 ID=37735 PROTO=TCP SPT=3603 DPT=6588
WINDOW=16384 RES=0x00 SYN URGP=0 

Jul 29 18:30:55 homebox kernel: New,invalid
TCP:IN=eth0 OUT=
MAC=00:60:08:16:39:30:00:08:20:cb:04:a8:08:00
SRC=66.111.60.170 DST=24.116.255.102 LEN=40 TOS=0x00
PREC=0x00 TTL=240 ID=9599 PROTO=TCP SPT=56814 DPT=4588
WINDOW=16384 RES=0x00 SYN URGP=0 

Jul 29 18:30:55 homebox kernel: New,invalid
TCP:IN=eth0 OUT=
MAC=00:60:08:16:39:30:00:08:20:cb:04:a8:08:00
SRC=66.111.60.170 DST=24.116.255.102 LEN=40 TOS=0x00
PREC=0x00 TTL=240 ID=36306 PROTO=TCP SPT=16254
DPT=8080 WINDOW=16384 RES=0x00 SYN URGP=0 

Jul 29 18:30:55 homebox kernel: New,invalid
TCP:IN=eth0 OUT=
MAC=00:60:08:16:39:30:00:08:20:cb:04:a8:08:00
SRC=66.111.60.170 DST=24.116.255.102 LEN=40 TOS=0x00
PREC=0x00 TTL=240 ID=12762 PROTO=TCP SPT=22996
DPT=3128 WINDOW=16384 RES=0x00 SYN URGP=0 

Jul 29 18:30:56 homebox snort: [1:1000003:1] AnalogX
Proxy Server Scan [Classification: information
gathering attempt] [Priority: 8]: {TCP}
66.111.60.170:3603 -> 24.116.255.102:6588

Jul 29 18:30:56 homebox snort: [1:620:3] SCAN Proxy
(8080) attempt [Classification: Attempted Information
Leak] [Priority: 2]: {TCP} 66.111.60.170:16254 ->
24.116.255.102:8080

Jul 29 18:30:56 homebox snort: [1:618:4] SCAN Squid
Proxy attempt [Classification: Attempted Information
Leak] [Priority: 2]: {TCP} 66.111.60.170:22996 ->
24.116.255.102:3128

Now, I made a rule for the AnalogX one, but the 4588
one I've never seen before.  Anyone have an idea of
what kind of proxy this is?  This things always scan
in groups of 3 and 4 ports, so I'm wondering if it's a
scanning application or something like that.  Thanks
all!

James


__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com


-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: