Closed jgedeon120 closed 7 years ago
Probably it's a misconfiguration? Like with publicly accessible TR-069, which is not necessarily a vulnerable service but definitely a should not.
Do you think the type of proxy and the taxonomy of suspicious are fitting? I don't see the type being used for other types but the suspicious taxonomy I could see it being used for other types.
ping @aaronkaplan
@aaronkaplan Can you please weigh in on this. I would like to create a classification type of proxy with the taxonomy mapping to suspicious.
The feed in questions is http://txt.proxyspy.net/proxy.txt, the parser would basically give the source.ip, source.port, and source.geolocation.cc. Users could then use the list to check their firewall logs for outbound traffic matching the IP and port.
IMHO it's unfortunately right now an "Other" taxonomy. Type is something you can define pretty much. You could also call it "Vulnerable" but... that's not really a vulnerability in the software itself. ... it's just mis-configured (intentionally ?). I'd go with "Other".
See https://www.enisa.europa.eu/topics/csirt-cert-services/community-projects/existing-taxonomies
I was starting to work on a parser for proxies. There currently doesn't look like there is a classification type or taxonomy set for data like this. In my case most of this would be used looking for outbound connections to proxies and I would consider the taxonomy as suspicious. Before moving any further with this I would like to get some guidance on what others feel the type and taxonomy should be so that I can contribute the parsers and feeds to the project.