Proxy Servers

During all the analysis we realized that only a small number (10) of machines from the internal network triggered rules^3.8:

115.74.249.202     170.129.50.120     32.245.166.119
115.74.249.65      170.129.50.3       32.245.166.236
138.97.18.225      207.166.87.157
138.97.18.88       207.166.87.40

A very interesting fact is that two machines are located in each of the internal subnets. Furthermore, the snort alerts for all the machines look very much the same. Having analyzed some of the traffic already earlier, we issue a new hypothesis about these machines. They are proxy servers. A few reasons to support this claim:

• All of the 10 machines trigger about the same variety of events.
• Only 10 machines, out of a total of 83634 machines were contacted, show up as sources of events. The others are only targets.
• It seems very unlikely that no other machine in the internal network would trigger a single event.
• The internal machines (i.e., the proxies) seem to have many roles. One of them triggers AOL instant messenger events, participates in DNS zone transfers and offers Web pages. This seems very unlikely.

We can unfortunately not further support this claim without knowing more about the topology.