##########################################
#
# Web Proxy Use Snort Rules
#
# Copyright 2005-2006 Cory Bys
# All Rights Reserved
# Particle.Bored@kgb.to
#
# This rule set is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This rule set is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# Last Update 29 August 2006
#
##########################################
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"INAPPROPRIATE - Web Proxy Use"; flow:established; content:"GET "; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(123open.org|2255.info|24proxy.com|3proxy.com|75i.net|78y.net|a-bug.com|a4u.at|abecx.net|afreefunkoxy.com|afreeproxy.com|alienproxy.com|altproxy.com|amegaproxy.com|anon.de|anonprox.com|anonproxy.info|anonycat.com|anonymate.com|anonymization.net|anonymizer.(com|ru)|anonymouse.(de|org|ws)|anonymous.as|anonymousindex.com|anonymousinet.com|anonymousurfing.info|anonypath.(com|net)|anonypost.com|anotherproxy.com|anoxx.com|anti-boredom.co.uk|antifw.tk|antitrace.(com|net)|aproxysite.com|arandomproxy.com|arnit-proxy.net|atschool.be|atunnel.com|autistici.org|avidproxy.com|backfox.com|bestwebproxy.com|betaproxy.com|bigate.com|bigproxy.org|bingoproxy.com|blazeboard.com|blockfilter.com|blockmy.info|boardmerlin.com|boredatschool.net|boredatwork.info|boxproxy.com|breiter.ch|browseany.com|browseatwork.(com|net)|browsecop.com|browserproxy.ath.cx|browseschool.info|browsesecurely.com|browsework.(info|net)|browsingschool.(com|info)|browsingwork.(com|info)|btunnel.com|buzzysplat.com|bypassbrowser.com|bypasser.be|bypassit.be|bypassnow.net|cacheless.org|calcmaster.net|cecid.org|cgi-proxy.net|cgiproxy.info|ciscogeek.com|cleverproxy.com|clickcop.com|cloaker.ca|cloakmy.info|cloax.net|collegeproxy.com|concealme.info|consti.de|coolhandle.com|cpr0x.com|ctunnel.com|cyberbite.com|dareproxy.com|darkproxy.com|datadefense.org|daveproxy.co.uk|demonproxy.com|desireproxy.com|dfzx.com.cn|dnbroker.us|drproxy.net|dtunnel.com|dualproxy.com|dzzt.com|e-konkursy.com|easyproxy.org|enigmaproxy.com|evaded.net|ezproxy.org|famous5.net|fatproxy.com|fc2.com|filtergotowned.com|fireprox.(com|net)|flylikeaturtle.com|foxyproxy.net|frastproxy.com|freakproxy.com|free-proxy.info|freebieproxy.com|freehttpproxy.com|freepr0xy.com|freeproxy.ca|freeproxyserver.org|freeproxysite.com|freeproxysurf.info|freeproxysurfing.com|freeteenproxy.com|freetoview.net|freeusaproxy.com|freewebproxy.org|freshproxy.com|fritoon.info|fsurf.com|fullysickproxy.com)\r\n/"; classtype: policy-violation;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"INAPPROPRIATE - Web Proxy Use"; flow:established; content:"GET "; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(gamecrib.net|gamesproxy.com|geoepker.hu|getaroundfilters.com|getproxy.org|ghostclick.com|giantsurf.com|goproxing.com|goproxy.org|gouc.fr|greenrabbit.org|guardster.com|h0h0h0.com|handsoffmycomputer.com|hatkoff.com|hcmfactor.com|helpmehide.com|hide-me.be|hidemyass.com|hidemyinfo.info|hideip.be|hideyour.info|hidingyou.com|hoofle.com|httproxy.com|hujiko.com|i-secure.ws|iamnewguy.com|ibypass.(biz|com|name|net|org|us)|iceproxy.net|idoxy.com|idzap.com|ieproxy.com|imsostudying.com|indianproxy.com|intbonline.com|intelliproxy.com|ipblocker.info|ipbouncer.be|iphide.com|ipsecret.com|ipzap.com|iwantmyowncomputer.com|jj4.net|justhide.com|justproxy.net|justproxyit.com|kampen.org|katedrala.cz|kproxy.com|letmeby.com|letsproxy.com|link-proxy.com|liveproxy.us|logbuster.(com|net)|long999.com|iv6.net|megaproxy.com|melloyello.org|misterprivacy.com|misterproxy.com|mrproxy.com|mrreid.net|ms-excel-help.com|msnvip.com|msxsecurity.com|mtfreeproxy.com|myproxy.ca|myproxysite.com|myproxysurfer.com|mysticproxy.com|mywebtunnel.com|neoproxy.net|nethush.com|netsack.net|networktechs.com|newproxy.be|nightproxy.com|ninjababe.com|ninjaproxy.com|no1proxy.com|nomorelimits.net|nopath.(com|net)|nopimps.com|novaproxy.com|ohmyproxy.com)\r\n/"; classtype: policy-violation;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"INAPPROPRIATE - Web Proxy Use"; flow:established; content:"GET "; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(pagebang.com|pagehot.com|pagewash.com|pc-portal.at|peoplesproxy.com|perfectproxy.com|perlproxy.com|phpelement.co.uk|phproxy.(info|org|us)|pimpmyip.com|pimpproxy.com|pinoytop100.com|pornoproxy.com|poxy.us.to|pr0xy.org|primeproxy.com|privatebrowsing.com|procksie.com|projectbypass.com|prowser.com|proxene.com|proxert.com|proxified.net|proxify.(biz|cn|com|de|info|net|org|us)|proxoid.com|proxy.tl|proxy-sock.com|proxy-surf.net|proxy1.be|proxy121.com|proxy247.com|proxy77.com|proxy7.com|proxyanon.com|proxyarea.com|proxyaware.com|proxyboys.com|proxybrowsing.com|proxybull.com|proxybuster.net|proxycat.com|proxychatroom.com|proxychoice.com|proxycircle.com|proxycombat.com|proxycover.net|proxycraze.com|proxydetective.com|proxydrop.(biz|com|info|net|org)|proxydude.com|proxyearth.com|proxyeyes.com|proxyforall.com|proxyfox.info|proxyfoxy.com|proxygasp.com|proxygeek.com|proxyghost.com|proxyguy.com|proxyhero.com|proxyhub.com|proxyify.info|proxykid.com|proxyking.net|proxykingz.com|proxyjet.com|proxylord.com|proxymize.com|proxymod.com|proxymouse.com|proxynine.com|proxyparty.com|proxypeak.com|proxypi.com|proxypla.net|proxyplease.com|proxypop.com|proxyprince.com|proxypunk.com|proxys4all.com|proxysafe.com|proxyserver7.com|proxyslash.com|proxysnail.com|proxysnow.com|proxyspy.com|proxysufing.net|proxytap.com|proxytastic.com|proxythat.com|proxytouch.com|proxyvibe.com|proxyvisit.com|proxywave.com|proxyweb.net|proxywebsite.com|proxywhip.com|proxywhiz.com|proxyz.be|proxz.com|pruxy.com|prx1.com|psurf.net|public-proxy.com|pureprivacy.com)\r\n/"; classtype: policy-violation;)
#
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"INAPPROPRIATE - Web Proxy Use"; flow:established; content:"GET "; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(quietproxy.com|radio-farda.com|rapidwire.net|rewebber.(com|de)|roachhost.com|runarcade.com|safeforwork.net|safegatetech.com|safeproxy.org|safesurfers.net|satanproxy.com|secretbrowse.com|shadowbrowser.com|shadowsurf.com|shareinside.net|siatec.net|siegesoft.com|silentsurf.com|simpleproxy.com|siteallow.com|sitesneak.com|slideproxy.com|smallproxy.com|smart-proxy.com|smartproxy.(net|org)|sneak2.com|sneakthrough.com|sneakysurf.com|sneakyuser.com|snoopblock.(com|net)|snoopblocker.(com|net)|someproxy.com|songtoday.com|sonicpig.com|sonicproxy.com|spaceproxy.com|spiffyproxy.com|spondoo.com|spynot.com|spysurfing.com|stealth-ip.net|stoptheblock.com|studentproxy.com|stupidproxy.com|surf-anon.com|subdimension.com|surfatschool.net|surfbyproxy.net|surfola.com|surfonym.com|sweetproxy.com|switchproxy.com|techtakover.com|teenproxy.com|thatproxy.com|the-cloak.com|thecabletown.com|thecgiproxy.com|theproxy.(be|info)|theproxyfree.com|theproxysite.info|theproxyspot.com|thestrongestlinks.com|theunblocker.tk|thewebtunnel.com|thisproxy.org|tntproxy.com|torify.com|totalupload.com|traceless.com|ukproxy.com|unblockmyspace.com|unblockthe.net|unblockthis.com|undirect.com|unipeak.com|unknownproxy.com|urlencoded.com|useproxy.net|userbeam.de|vbrowse.com|virtual-browser.com|visitany.com|vpntunnel.com|vproxy.be|vtunnel.com|w00tage.com|w3privacy.com|wablair.digitalspace.net|wantproxy.com|webfringe.com|webshopcd.ru|websiteproxy.org|webtoolsking.com|webwarper.net|whiteproxy.com|winidn.com|wkccp.com|workbrowse.com|worldwideproxy.com|wowbrowse.com|wrigglethrough.com|xanproxy.be|xroxy.com|yourfreeproxy.com|your-proxy.com|yourproxy.org|yoursdomain.com|zoomproxy.com|zoot-proxy.com)\r\n/"; classtype: policy-violation;)