This detection rule identifies potential proxy activity directed towards the internet through specific TCP ports commonly used for HTTP and SOCKS proxies, namely port 1080 (SOCKS), 3128 (HTTP proxy), and 8080 (HTTP proxy). The intent is to flag traffic that could indicate attempts to bypass network security measures or could imply command-and-control communications. The rule primarily focuses on traffic originating from private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) to any external IP that is not a private or reserved address, thus filtering out legitimate internal proxy communications. As the rule is designed to detect evidence of any suspicious use of these proxy ports, false positives may occur from benign internal network proxy services or applications that utilize ephemeral port ranges. Users should interpret alerts with caution and consider the wider context of the detected traffic. The rule is marked as deprecated as of April 15, 2021, and should be used with this understanding.