File: 100000132.txt

package info (click to toggle)
snort 2.9.7.0-5
  • links: PTS, VCS
  • area: main
  • in suites: buster, sid, stretch
  • size: 55,000 kB
  • ctags: 38,464
  • sloc: ansic: 266,667; sh: 12,508; makefile: 2,908; yacc: 497; perl: 496; lex: 261; sed: 14
file content (70 lines) | stat: -rw-r--r-- 1,725 bytes parent folder | download | duplicates (4)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
Rule: 

--
Sid: 
100000132

-- 
Summary: 
This event is generated when a connection is made to the Internet via a proxy 
server on your internal network. 

-- 

Impact: 
If the server is not legitimate, anyone with access to it can use your 
bandwidth to access the Internet; if users conduct malicious activity on the 
Internet through this server, the activity will appear to have come from the 
misconfigured machine.

--
Detailed Information:
This rule looks for pieces of HTTP requests being made by a misconfigured 
Squid, ISA, or NetCache proxy server. If it fires, and the machine the alert is 
coming from is not a known proxy server, it indicates that the machine in 
question is either improperly configured or has been compromised.

False positives associated with this rule may be reduced considerably, or even 
eliminated, by the use of a custom variable. By editing your snort.conf to 
include "var KNOWN_PROXY_SERVERS = [<list of valid servers]" and modifying the 
rule to read "alert tcp !$KNOWN_PROXY_SERVERS", all proxy activity associated 
with these machines will be ignored.

--
Affected Systems:

--

Attack Scenarios: 
This vulnerability may be exploited with a web browser or a script.

-- 

Ease of Attack: 
Simple, as it can be exploited using a web browser.

-- 

False Positives:
None Known.

--
False Negatives:
None Known.

-- 

Corrective Action: 
Enforce access restrictions if this is a legitimate proxy server that is being 
abused; remove the server from machines on which there was no legitimate 
installation, and search for other signs of system compromise.

--
Contributors: 
Alexandru Ionica <gremlin@networked.ro>
Alex Kirk <alex.kirk@sourcefire.com>

-- 
Additional References:

--