Rule:  

--

Sid:

615

--

Summary:

An external host has requested to start communications with your host on
port 1080.

--

Impact:

Network reconnaissance.

--

Detailed Information:

Improperly-configured SOCKS proxies can be abused to allow a hostile
user to launch attacks and make them appear to come from your site.

Additionally, if the proxy is behind a firewall or is a trusted host, it
can be used to gain further access into your network and other hosts.

--

Affected Systems:

Any system with a SOCKS proxy server installed.

--

Attack Scenarios:

Attacker utilizes your misconfigured proxy to anonymize their other
illegitimate activities or gain further access to your network.

--

Ease of Attack:

Trivial or extremely difficult, depending on proxy configuration.

--

False Positives:

Non-proxy applications running on port 1080, regardless of purpose, will
trigger this alert every time any session begins.

--

False Negatives:

None known.

--

Corrective Action:

Allow only internal users to connect to the proxy, or configure strong
access control.

--

Contributors:
Original Rule Writer Unknown
Snort documentation contributed by Gene R Gomez (gene!AT!gomezbrothers!DOT!com)

-- 

Additional References:

UnderNet:
http://help.undernet.org/proxyscan/

