[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: [Emerging-Sigs] proxy
From: David.R.Wharton () regions ! com (David ! R ! Wharton () regions ! com)
Date: 2009-05-19 14:32:53
Message-ID: OF03058DC0.D92F1081-ON862575BB.004D8051-862575BB.004FEA73 () corp ! rgbk ! com
[Download RAW message or body]
While not perfect, you could flag on an absoluteURI in a HTTP request:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Proxy
Usage Detected"; flow:established,to_server; uricontent:"http"; nocase;
pcre:"/^(OPTIONS|GET|HEAD|POST|PUT|DELETE|TRACE|CONNECT)\shttps?://.*\sHTTP/1\.[01]\x0D\x0A/i";
classtype:policy-violation; sid:xxxxxx; rev:1;)
-David Wharton
James Pleger <jpleger at gmail.com>
Sent by: emerging-sigs-bounces at emergingthreats.net
05/18/2009 06:46 PM
To
James Pleger <jpleger at gmail.com>
cc
Emerging-sigs at emergingthreats.net
Subject
Re: [Emerging-Sigs] proxy
I also forgot to add that the signatures that are in the ET rulesets are
mostly for detecting outbound proxy connections from your network to an
external box which could indicate that a client on your host is doing
naughty things.
Regards,
James Pleger
e: jpleger at gmail.com
g: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x9D7141C9
On May 18, 2009, at 4:42 PM, James Pleger wrote:
The only thing that you can detect is by looking at the VIA and
X-Forwarded-For headers, which typically indicate proxy activity. There
are some other headers depending on the proxy but those are the most
common. In regards to finding what is behind the proxy, that is going to
be difficult unless they send the X-Forwarded-For headers.
There are some proxy blacklists which have lists of open proxies which
might be useful for you(although i don't have the urls you can google for
them probably).
Regards,
James Pleger
e: jpleger at gmail.com
g: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x9D7141C9
On May 18, 2009, at 4:35 PM, Jules Pagna Disso wrote:
hi guys,
is there a way we can identify a traffic behind a proxy server ? /
identify that a proxy server is being used ?
I assume that someone is trying to bypass some restrictions of some sort.
do we have a rule for that? or no solution
thanks,
Jules
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs at emergingthreats.net
http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs at emergingthreats.net
http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/octet-stream
Size: 201 bytes
Desc: not available
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090519/fe58a868/PGP.obj
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic