Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: snort.org > snort-sigs > 04 > 031493.html (Request Expert snort.org Support)

RE: [Snort-sigs] Anonymous Proxy Server Detection

From: Kreimendahl, Chad J <Chad.Kreimendahl(at)umb.com>
Date: Thu Mar 18 2004 - 11:33:39 EST

Depending on what hardware/software you use for URL filtering, you may be able to just block the 'anonymizer' category within the filter.

BlueCoat's Proxy and NetApp's NetCache Proxy both have filtering software built in to allow for this... In my past experience with these, they work well... However, some nifty anonymizer software now will connect out very commonly open outbound ports (ssh, ftp, etc). Any rule you write would likely have to watch every ounce of traffic...

If it's catching people you want... Check google for anonymizers and just look for syn packets to them.

alert tcp $INTERNAL_NETS :1024 > $ANONYMIZER_NETS any (msg:"POLICY Anonymizer Monkey"; flags:S,12; )

Of course, I've also seen anonymizers that emulate TCP through UDP or ICMP simply for the purposes of getting around stuff like this. Though, those were made by very crafty/sneaky people, and I don't think they're publicly available.

-----Original Message-----
From: eric.ferguson@jaguartech.com [mailto:eric.ferguson@jaguartech.com]

Sent: Wednesday, March 17, 2004 4:30 PM
To: snort-sigs@lists.sourceforge.net
Subject: [Snort-sigs] Anonymous Proxy Server Detection

Do you need help?X

Anyone have a method to detect when anonymous proxies are being used? I am in a school envrioment and kids are bypassing our URL filtering by either a)using an anonymous proxy configured via the Internet browser or b)using a CGI on an anonymous proxy server. Any help would be GREATLY appreciated.

Thanks,

Eric Ferguson


This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id70&alloc_id638&op ick

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Thu Mar 18 11:52:25 2004

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:37 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library