| GEN:SID | 1:615 |
| Message | SCAN SOCKS Proxy attempt |
| Summary | An external host has requested to start communications with your host on port 1080.
|
| Impact | Network reconnaissance.
|
| Detailed Information | Improperly-configured SOCKS proxies can be abused to allow a hostile user to launch attacks and make them appear to come from your site.
Additionally, if the proxy is behind a firewall or is a trusted host, it can be used to gain further access into your network and other hosts.
|
| Affected Systems | Any system with a SOCKS proxy server installed.
|
| Attack Scenarios | Attacker utilizes your misconfigured proxy to anonymize their other illegitimate activities or gain further access to your network.
|
| Ease of Attack | Trivial or extremely difficult, depending on proxy configuration.
|
| Corrective Action | Allow only internal users to connect to the proxy, or configure strong access control.
|
| Additional References | UnderNet: http://help.undernet.org/proxyscan/
|
| Rule References | url: help.undernet.org/proxyscan/
|