Alex Kirk wrote:
Additionally, user Alexandru Ionica <gremlin@networked.ro> submitted a
rule which looks for rogue proxy servers running in an organization's
network. Anyone who wishes to submit rules may do so at
http://www.snort.org/reg-bin/rulesubmit.cgi.
Hmm - where should bug reports for community rules go? :-)
I think that rule needs to be fleshed out. For one thing it'd trigger on
every proxy server you have, so maybe it should include a "var"
definition. Also it is specific to Squid - the following will also match
ISA and NetCache.
------------------- change ----------------
#Change the following VALID_PROXY_SERVERS to define the valid proxy
servers on your network,
#otherwise this will never trigger (e.g. "var VALID_PROXY_SERVERS
[1.2.3.4/32,1.2.4.44/32]")
var VALID_PROXY_SERVERS $HOME_NET
alert tcp !$VALID_PROXY_SERVERS any -> $EXTERNAL_NET any (msg:"COMMUNITY
WEB-MISC Proxy \
Server Access"; flow:established,from_server;
content:"Proxy-Connection"; nocase; content:"Via"; nocase; content:"HTTP";\
nocase; content: !"ERR_ACCESS_DENIED"; nocase; logto: "proxy";
sid:100000132; rev:2;)
-------------------------------------------------
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
