Snort mailing list archives
Re: Proxy scan app?
From: Jon Hart <warchild () spoofed org>
Date: Tue, 29 Jul 2003 23:04:50 -0400
On Tue, Jul 29, 2003 at 07:16:49PM -0700, James Nonya wrote:
Hey all! Real quick...below is a proxy scan:
<snip>
Now, I made a rule for the AnalogX one, but the 4588 one I've never seen before. Anyone have an idea of what kind of proxy this is? This things always scan in groups of 3 and 4 ports, so I'm wondering if it's a scanning application or something like that. Thanks all!
I don't know of any application that can act like a proxy that sits on port 4588. However, many scanners (proxy or otherwise) I've seen in the wild tend to not only hit common proxy ports (1080, 3128, 8080), but also hit not-so-common variations like 8081, 4128, 8128, etc. At least one theory behind this is that if a particular ISP blocks common proxy ports, tricky users will try and run proxies on slightly different ports, and that is likely what the attackers are looking for. If you can find out if they are looking for something in particular on port 4588, then maybe a signature could be developed. Otherwise, you might just add 4588 to the list of commonly scanned proxy ports. -jon ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Proxy scan app? James Nonya (Jul 29)
- Re: Proxy scan app? Jon Hart (Jul 29)