Snort mailing list archives
RE: loopback traffic on the network
From: Tom Sevy <tsevy () epx com>
Date: Wed, 27 Feb 2002 09:12:49 -0500
I see, from time to time, on our internal network, broadcasts from 127.0.0.1 to 255.255.255.255 on port 2301. It is always (in our case) the Compaq agents. I then use TCP-dump to find the offending MAC address, and am then able to find the system (ie., tcpdump -ei xl0 host 127.0.0.1) -----Original Message----- From: Chris Keladis [mailto:Chris.Keladis () cmc cwo net au] Sent: Wednesday, February 27, 2002 8:49 AM To: rms Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] loopback traffic on the network rms wrote:
I see a lot of traffic like this going through my router. All sorts of loopback addresses as source. The destination is a single DNS server.
Hrrmm, last i knew 127/8 was reserved (i assume only for loopback).
Anybody knows what this could be? Sample: [**] [1:528:2] BAD TRAFFIC loopback traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] 02/24-16:17:04.499538 127.184.74.150:12147 -> xxx.xxx.56.98:3385 UDP TTL:239 TOS:0x0 ID:13808 IpLen:20 DgmLen:30 DF Len: 10 and so on...Very large number of alerts of the kind, only changing the destination port and source address. Any hints, pointers, URLs resources, anything?
Treat it as suspicious.. Perhaps get Snort to log the session to tcpdump and analyze the network capture more closely.
Another question: is it possible to see a regular packet on the network having 127.x.x.x as: a) source b) destination address If answer is yes, than under what condition this might be (an exapmle would be appreciated)
If it's possible, yes, if it's 'legal', i think no.. Cheers, Chris. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- loopback traffic on the network rms (Feb 27)
- <Possible follow-ups>
- loopback traffic on the network rms (Feb 27)
- Re: loopback traffic on the network Chris Keladis (Feb 27)
- RE: loopback traffic on the network Tom Sevy (Feb 27)