Home page logo
/

snort logo Snort mailing list archives

Proxy question
From: "Lay, James" <james.lay () wincofoods com>
Date: Tue, 9 Nov 2010 09:49:29 -0700

So I see a fair amount of:

 

11/09-09:42:53.902454  [**] [119:17:1] (http_inspect) UNAUTHORIZED PROXY
USE DETECTED [**] [Priority: 3] {TCP} 10.1.5.4:1105 -> 10.21.0.16:8080

 

My question is...why?  My home net is set at 10.0.0.0/8, so I suspect
I'm missing something else..here's some snort.conf detail:

 

var HTTP_SERVERS 10.21.0.16

portvar HTTP_PORTS
[80,1220,2301,3128,5080,7777,7779,8000,8008,8028,8080,8180,8888,9999]

 

preprocessor http_inspect_server: server default \

    chunk_length 500000 \

    server_flow_depth 0 \

    client_flow_depth 0 \

    post_depth 65495 \

        oversize_dir_length 1500 \

    max_header_length 4096 \

    max_headers 100 \

    ports { 80 1220 2301 3128 5080 7777 7779 8000 8008 8014 8028 8080
8180 8888 9999 52400 } \

    non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \

    enable_cookie \

    extended_response_inspection \

    inspect_gzip \

#    enable_xff \

    apache_whitespace no \

    ascii no \

    bare_byte no \

        directory no \

        double_decode no \

        iis_backslash no \

        iis_delimiter no \

        iis_unicode no \

        multi_slash no \

        non_strict \

        u_encode yes \

        webroot no

 

Any pointers would be excellent...thank you.

 

James Lay

IT Security Analyst

WinCo Foods

208-672-2014 Office

208-559-1855 Cell

650 N Armstrong Pl.

Boise, Idaho 83704

 

<<winmail.dat>>

------------------------------------------------------------------------------
The Next 800 Companies to Lead America's Growth: New Video Whitepaper
David G. Thomson, author of the best-selling book "Blueprint to a 
Billion" shares his insights and actions to help propel your 
business during the next growth cycle. Listen Now!
http://p.sf.net/sfu/SAP-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

  By Date           By Thread  

Current thread:
  • Proxy question Lay, James (Nov 09)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault