SonicALERT
Search

Sonicwall Signatures


Go to All Categories list.
Go to All Applications list.

Category: PROXY-ACCESS

Proxy-Access Category Description

This SonicWALL IPS signature category consists of a group of signatures that can detect and prevent unauthorized access to proxy servers. Proxy servers help provide users inside a network with freedom of access to outside network services, often by circumventing a firewall. The traffic detected by these signatures is not a threat in and of itself, but it can represent a violation of network policy and possibly open the network to future attacks.

These signatures detect several different types of proxy server traffic ranging from higher security to lower security including outbound access to SOCKS servers, various programs that provide tunneling services, and generic attempts to access HTTP proxies outside the network. SOCKS connections require some form of authentication, and represent comparatively less risk than other proxy connections. Tunneling services, on the other hand, can open holes in the firewall that recieve less scrutiny than other traffic moving into the network. Other HTTP attempts can signal that the user is using services like Instant Messengers or Peer-to-Peer filesharing clients in violation of company policy. Some types of proxies can provide remote administrative access for users outside the network to workstations inside the network and evade a perimeter firewall.

SonicWALL signatures in this category are considered low-priority and are set by default to detect this type of network traffic. These signatures can be enabled if proxy access is in violation of network policy.

  Encrypted Key Exchange -- Random Encryption (Skype,UltraSurf, eMule)
  Non-SSL traffic over SSL port -- Traffic Anomaly Detection
  Encrypted Key Exchange -- UDP Random Encryption (UltraSurf)
  Freegate -- HTTPS Activity 1 [Reqs SIDs 5, 7]
  NinjaCloak -- HTTP Activity
  NinjaCloak -- HTTPS Activity
  Megaproxy -- HTTPS Activity 1
  WPAD -- HTTP Activity (Get Data)
  KProxy -- HTTP Activity 1
  KProxy -- HTTP Activity 2
  KProxy -- HTTPS Activity 1
  Megaproxy -- HTTPS Activity 2
  PHProxy -- HTTP Activity
  SOCKS 5 -- Server Response
  SOCKS 4 -- Server Response
  ProxEasy -- HTTP Activity
  Hopster -- TCP Activity
  OVH -- HTTPS Activity (ovh.com)
  OnWorks -- HTTPS Activity
  Vultr -- HTTPS Activity
  Your Freedom -- TCP Activity 1
  Your Freedom -- TCP Activity 2
  Glype -- HTTP Activity 1
  Freegate -- HTTPS Activity 2 [Reqs SIDs 5, 7]
  Glype -- HTTP Activity 2
  Guardster -- HTTP Activity
  Tor -- Client Request 1
  Tor -- Client Request 2
  Tor -- Server Response
  Tor -- Client Request 5
  HTTP Proxy -- GET Method
  OVH -- HTTPS Activity (ovhcloud.com)
  Youngzsoft CCProxy -- Server Response
  HTTP Proxy -- Request URI (FTP)
  Ultrasurf -- HTTP Activity 3 [Reqs SIDs 5, 6, HTTP Proxy sigs, DPI-SSL CI]
  Ultrasurf -- UDP Activity 1 [Reqs SIDs 5, 6, HTTP Proxy sigs, DPI-SSL CI]
  JonDo Proxy -- TCP Activity
  httptunnel -- Client Request (Proxy Wrapper)
  httptunnel -- Client Request (Tunnel Open)
  HTTP Proxy -- App Message (Keep Alive)
  Tor -- Client Request 3
  Psiphon -- TCP Activity 1 [Reqs SID 5 and DPI-SSL CI]
  Tor -- Client Request 4
  Spotflux -- DNS Query
  Spotflux -- TCP Activity
  Spotflux -- UDP Activity
  HTTP Proxy -- POST Method
  KProxy -- HTTPS Activity 2
  OpenDoor -- HTTPS Activity
  Bitvise SSH -- Client Request
  Bitvise SSH -- Server Response
  Burp Proxy -- HTTPS Activity
  Tor -- Client Request 6
  Psiphon -- TCP Activity 2 [Reqs SID 5 and DPI-SSL CI]
  Tor -- Client Request 7
  Ngrok -- DNS Query
  Psiphon -- TCP Activity 6 [Reqs SID 5 and DPI-SSL CI]
  Psiphon -- UDP Activity 1 [Reqs SID 5 and DPI-SSL CI]
  PD-Proxy -- DNS Query
  Ultrasurf -- HTTP Activity 1
  Browsec -- HTTPS Activity 1
  JonDo Proxy -- HTTPS Activity
  Psiphon -- TCP Activity 5 [Reqs SID 5 and DPI-SSL CI]
  I2P -- HTTP Activity 1 [Reqs SIDs 5, 7]
  I2P -- HTTP Activity 2 [Reqs SIDs 5, 7]
  Ultrasurf -- HTTP Activity 2 [Reqs SIDs 5, 6, HTTP Proxy sigs, DPI-SSL CI]
  Psiphon -- TCP Activity 4 [Reqs SID 5 and DPI-SSL CI]
  Psiphon -- TCP Activity 3 [Reqs SID 5 and DPI-SSL CI]
  Appsverse Photon -- TCP Activity
  Appsverse Photon -- HTTP Activity 1 [Reqs DPI-SSL CI]
  Appsverse Photon -- HTTP Activity 2
  Appsverse Photon -- HTTP Activity 3
  Psiphon -- UDP Activity 2 [Reqs SID 5 and DPI-SSL CI]
  FreeMyBrowser -- HTTPS Activity
  HTTP Proxy -- Authorization
  Ultrahook -- HTTP Activity
  Psiphon -- TCP Activity 7 [Reqs SID 5 and DPI-SSL CI]
  Browsec -- HTTPS Activity 2


Relevant Information