SUC013 : Paros Proxy Scanner
- Use Case Reference : SUC013
- Use Case Title : Paros Proxy Scanner
- Use Case Detection : IDS / HTTP logs
- Targeted Attack : Yes, most of time using this tool is to target the Web Application
- Identified tool(s) : Paros Proxy
- Source IP(s) : Random
- Source Countries : Random
- Source Port(s) : Random, but static source port when scan is initiated
- Destination Port(s) : 80/TCP, 443/TCP
- Paros Proxy
Emerging Threats SIG 2008187 create an alert if the user agent “Paros” is detected in destination of HTTP, or HTTPS, variables definitions. Each time, the user agent is detected an alert will be triggered. The sum of alert, from the same source, to the same destination, during an interval of time will give you the number of content how have been proxied by Paros.
Paros Proxy is used, normally, to evaluate to security of Web applications. All HTTP and HTTPS datas between server and client, including cookies and form fields are intercepted and could be modified. If you detect these kind of activities, you should add the attacker IP address to an “Aggressive Attacker” list for furthers trends and correlations.