Re: Proxy scan app?

[Jon Hart <warchild () spoofed org>]

On Tue, Jul 29, 2003 at 07:16:49PM -0700, James Nonya wrote:
> Hey all!
>
> Real quick...below is a proxy scan:

<snip>

> Now, I made a rule for the AnalogX one, but the 4588
> one I've never seen before.  Anyone have an idea of
> what kind of proxy this is?  This things always scan
> in groups of 3 and 4 ports, so I'm wondering if it's a
> scanning application or something like that.  Thanks
> all!

I don't know of any application that can act like a proxy that sits on
port 4588.  However, many scanners (proxy or otherwise) I've seen in the
wild tend to not only hit common proxy ports (1080, 3128, 8080), but
also hit not-so-common variations like 8081, 4128, 8128, etc.  At least
one theory behind this is that if a particular ISP blocks common proxy
ports, tricky users will try and run proxies on slightly different
ports, and that is likely what the attackers are looking for.

If you can find out if they are looking for something in particular on
port 4588, then maybe a signature could be developed.  Otherwise, you
might just add 4588 to the list of commonly scanned proxy ports.

-jon


-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users