Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: proxy ?

From: Matt Kettler <mkettler () evi-inc com>
Date: Fri, 22 Nov 2002 18:43:20 -0500
Snort can theoretically detect anything that you can define a TCP, UDP, ICMP or IP packet for that isn't used for anything else. The packet can be identified by either header fields (ie: ports, IP's etc), the contents of the packet data, or both.
So if it's a socks type proxy, you could look at the socks protocol, figure out the contents of a good packet (probably one involved in establishing connection to the proxy), and then create a rule to detect that on any port.
Note however that rules which match traffic on *any* port are quite slow and you really don't want to have many of those if you can avoid it.
If you don't know what type of proxy protocol will be used and you don't know what ports they will be used on and you don't know what IP address will be used as a proxy server, you're pretty much out of luck. You can try to write rules for the common ones, but there's no way to generically catch any proxy of any kind on any port at any IP. 

At 12:05 AM 11/23/2002 +0200, Petre Bandac wrote:

can snort (put on a gateway) detect connections made to proxy servers (which
are not necessarily ran on default/given ports ?

I mean those packages which first pass through another host before being sent
out to their destination can be somehow recognized ?

sorry if the question is too newbie-ish

thanks,

petre




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: