Snort mailing list archives
Proxy scan app?
From: James Nonya <slave_tothe_box () yahoo com>
Date: Tue, 29 Jul 2003 19:16:49 -0700 (PDT)
Hey all! Real quick...below is a proxy scan: Jul 29 18:30:55 homebox kernel: New,invalid TCP:IN=eth0 OUT= MAC=00:60:08:16:39:30:00:08:20:cb:04:a8:08:00 SRC=66.111.60.170 DST=24.116.255.102 LEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=37735 PROTO=TCP SPT=3603 DPT=6588 WINDOW=16384 RES=0x00 SYN URGP=0 Jul 29 18:30:55 homebox kernel: New,invalid TCP:IN=eth0 OUT= MAC=00:60:08:16:39:30:00:08:20:cb:04:a8:08:00 SRC=66.111.60.170 DST=24.116.255.102 LEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=9599 PROTO=TCP SPT=56814 DPT=4588 WINDOW=16384 RES=0x00 SYN URGP=0 Jul 29 18:30:55 homebox kernel: New,invalid TCP:IN=eth0 OUT= MAC=00:60:08:16:39:30:00:08:20:cb:04:a8:08:00 SRC=66.111.60.170 DST=24.116.255.102 LEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=36306 PROTO=TCP SPT=16254 DPT=8080 WINDOW=16384 RES=0x00 SYN URGP=0 Jul 29 18:30:55 homebox kernel: New,invalid TCP:IN=eth0 OUT= MAC=00:60:08:16:39:30:00:08:20:cb:04:a8:08:00 SRC=66.111.60.170 DST=24.116.255.102 LEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=12762 PROTO=TCP SPT=22996 DPT=3128 WINDOW=16384 RES=0x00 SYN URGP=0 Jul 29 18:30:56 homebox snort: [1:1000003:1] AnalogX Proxy Server Scan [Classification: information gathering attempt] [Priority: 8]: {TCP} 66.111.60.170:3603 -> 24.116.255.102:6588 Jul 29 18:30:56 homebox snort: [1:620:3] SCAN Proxy (8080) attempt [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 66.111.60.170:16254 -> 24.116.255.102:8080 Jul 29 18:30:56 homebox snort: [1:618:4] SCAN Squid Proxy attempt [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 66.111.60.170:22996 -> 24.116.255.102:3128 Now, I made a rule for the AnalogX one, but the 4588 one I've never seen before. Anyone have an idea of what kind of proxy this is? This things always scan in groups of 3 and 4 ports, so I'm wondering if it's a scanning application or something like that. Thanks all! James __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Proxy scan app? James Nonya (Jul 29)
- Re: Proxy scan app? Jon Hart (Jul 29)