Snort mailing list archives
Re: BAD TRAFFIC loopback traffic
From: JP Vossen <vossenjp () netaxs com>
Date: Mon, 25 Aug 2003 20:04:12 -0400 (EDT)
Date: Fri, 22 Aug 2003 13:06:38 -0400 (EDT) From: Erek Adams <erek () snort org> To: IntegPatchMgr <IntegPatchMgr () infosys com> cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] BAD TRAFFIC loopback traffic On Fri, 22 Aug 2003, IntegPatchMgr wrote:I am getting below message, Can any one let me know what is this mean ? EVENT # : 65 EVENTLOG : Application EVENT TYPE : INFORMATION (4) SOURCE : snort EVENT ID : 1 TIME : 8/22/2003 3:55:06 PM MESSAGE : [1:528:3] BAD TRAFFIC loopback traffic [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 127.0.0.1:80 -> 172.25.15.21:1284You had traffic from the loopback address 127.0.0.1 on the wire (ethernet). That should never happen. Most likely the 127.0.0.1 address was spoofed.
FYIW, I had a similar issue. I started getting a TON of this message in syslog: Aug 13 12:34:31 xxxxxxx snort: [1:528:3] BAD TRAFFIC loopback traffic [Classification: Potentially Bad Traffic] [Priority: 2]: <eth0> {TCP} 192.168.xxx.143:32831 -> 127.0.0.1:25 The source (.143) was a brand new from-scratch install of RHEL Taroon (i.e. Red Hat Enterprise Linux 3.0 Beta 1). There was a sendmail process and another sendmail-related process that I forget the name of. When I stopped both of those processes, the messages went away. That sounds like some part of sendmail is severely broken in Taroon, but I have not seen anything on that list, so it could just be me. HTH, JP ------------------------------|:::======|-------------------------------- JP Vossen, CISSP |:::======| jp{at}jpsdomain{dot}org My Account, My Opinions |=========| http://www.jpsdomain.org/ ------------------------------|=========|-------------------------------- You used to have to reboot the Windows 9.x series every couple of days because it would crash. Now you have to reboot Windows 200x or XP every couple of days because of a patch. How is that better or more stable? ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- BAD TRAFFIC loopback traffic IntegPatchMgr (Aug 22)
- Re: BAD TRAFFIC loopback traffic Erek Adams (Aug 22)
- Re: BAD TRAFFIC loopback traffic Edin Dizdarevic (Aug 23)
- <Possible follow-ups>
- Re: BAD TRAFFIC loopback traffic Matt Kettler (Aug 22)
- Re: BAD TRAFFIC loopback traffic JP Vossen (Aug 27)
- Re: BAD TRAFFIC loopback traffic Edin Dizdarevic (Aug 27)
- Re: BAD TRAFFIC loopback traffic JP Vossen (Aug 27)
- Re: BAD TRAFFIC loopback traffic Edin Dizdarevic (Aug 27)