Snort mailing list archives
Re: Bad Loop Back Traffic
From: Mark.Schutzmann () Omron com
Date: Fri, 27 Feb 2004 11:48:28 -0600
I have also suddenly noticed that I am receiving the Bad Loop Back Traffic alerts. This started after I updated my sigs from the Snort site on Wednesday. Here's what I get when I issue the test command. Eth0 is a Gig Fiber card on a c4006 in monitor mode and eth1 is a 100MB card on the same switch, Any ideas? (aside from updating Snort...that's another story!) [root@RHLXSnort snort]# /usr/local/bin/snort -c /etc/snort/snort.conf -i eth0 -T Running in IDS mode Log directory = /var/log/snort Initializing Network Interface eth0 --== Initializing Snort ==-- Initializing Output Plugins! Decoding Ethernet on interface eth0 Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file /etc/snort/snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes Fragment min_ttl: 0 Fragment ttl_limit: 5 Fragment Problems: 0 Self preservation threshold: 500 Self preservation period: 90 Suspend threshold: 1000 Suspend period: 30 Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes State alerts: INACTIVE Evasion alerts: INACTIVE Scan alerts: ACTIVE Log Flushed Streams: INACTIVE MinTTL: 1 TTL Limit: 5 Async Link: 0 State Protection: 0 Self preservation threshold: 50 Self preservation period: 90 Suspend threshold: 200 Suspend period: 30 Stream4_reassemble config: Server reassembly: INACTIVE Client reassembly: ACTIVE Reassembler alerts: ACTIVE Zero out flushed packets: INACTIVE flush_data_diff_size: 500 Ports: 21 23 25 53 80 110 111 143 513 1433 Emergency Ports: 21 23 25 53 80 110 111 143 513 1433 http_decode arguments: Unicode decoding IIS alternate Unicode decoding IIS double encoding vuln Flip backslash to slash Include additional whitespace separators Ports to decode http on: 80 rpc_decode arguments: Ports to decode RPC on: 111 32771 alert_fragments: INACTIVE alert_large_fragments: ACTIVE alert_incomplete: ACTIVE alert_multiple_requests: ACTIVE telnet_decode arguments: Ports to decode telnet on: 21 23 25 119 database: compiled support for ( mysql ) database: configured to use mysql database: user = snort database: password is set database: database name = snort database: host = OEI-RHLXSnort database: sensor name = 209.44.1.42 database: sensor id = 1 database: inconsistent cid information for sid=1 Recovering by rolling forward the cid=23189 database: schema version = 106 database: using the "log" facility THRESHOLD: gen_id=1, sig_id=10000504, type=1, tracking=1, count=10, seconds=30 THRESHOLD: gen_id=1, sig_id=10000505, type=1, tracking=1, count=10, seconds=30 THRESHOLD: gen_id=1, sig_id=10000506, type=1, tracking=1, count=10, seconds=30 THRESHOLD: gen_id=1, sig_id=100000507, type=0, tracking=0, count=1000, seconds=300 THRESHOLD: gen_id=1, sig_id=1000508, type=1, tracking=1, count=10, seconds=240 THRESHOLD: gen_id=1, sig_id=1000509, type=1, tracking=1, count=10, seconds=240 1308 Snort rules read... 1308 Option Chains linked into 209 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ Rule application order: ->activation->dynamic->alert->pass->log --== Initialization Complete ==-- -*> Snort! <*- Version 2.0.6 (Build 100) By Martin Roesch (roesch () sourcefire com, www.snort.org) Snort sucessfully loaded all rules and checked all rule chains! database: Closing connection to database "snort" Snort exiting "Scott Elgram" <SElgram () verifpoint com> To: "SN ORT" <snort_on_acid () yahoo com> Sent by: cc: <snort-users () lists sourceforge net> snort-users-admin () lists sour Subject: Re: [Snort-users] Bad Loop Back Traffic ceforge.net 02/25/2004 05:03 PM Please respond to "Scott Elgram" Actually my set-up goes like this; Internet connects to router, connects to hub, hub connects to firewall. Also connected to the hub is eth0 on the SNORT machine with no IP. A second card (eth1) on the SNORT machine connects to the internal network so that I can monitor with ACID. This setup works good, the SNORT sensor sees all traffic coming in from the router and going out to the router. So far the only problem it seems to have is the Bad Loop Back Traffic -Scott Elgram ----- Original Message ----- From: "SN ORT" <snort_on_acid () yahoo com> To: <SElgram () verifpoint com> Cc: <snort-users () lists sourceforge net> Sent: Wednesday, February 25, 2004 2:01 PM Subject: Re: [Snort-users] Bad Loop Back Traffic
So you have this hub, connected to both the firewall and the router. Do you also have another connection, connecting the router to the firewall? Now the firewall and the router have two connections to each other? If you have a switch in between as well, this would cause a spanning tree problem. Or is this hub the only connection between the two? If not, then I would suggest a different way to monitor the connections, such as a switch between the router/fw and if you have that already, the switch should then mirror the router port only. If the hub is the only connection then is your sensor acting as a router? And your IP of you non-sniffing Interface is an internal IP connected internally? Cheese! MarcMessage: 5 Reply-To: "Scott Elgram" <SElgram () verifpoint com> From: "Scott Elgram" <SElgram () verifpoint com> To: <snort-users () lists sourceforge net> Subject: Re: [Snort-users] Bad Loop Back Traffic Date: Tue, 24 Feb 2004 09:52:35 -0800 Organization: VerifPoint/CreDENTALsHummm, interesting, I have my SNORT installed on RH9 with 2 interfaces. The interface with the sensor is connected to a hub between my router and firewall. The interface has no IP address and catches onlyout->bound and in-bound trafficfrom the internet. For a while I was under the impression that this "Bad Loop Back Traffic" was the result of having an interface up with no IP or configuration. Could this be the reason you think? -Scott Elgram----- Original Message ----- From: <bclark () bwkip com> To: <snort-users () lists sourceforge net> Cc: <SElgram () verifpoint com> Sent: Tuesday, February 24, 2004 9:01 AM Subject: Re: [Snort-users] Bad Loop Back TrafficI have also seen this type of traffic about 200,000alerts last night. Iam not sure but I think it is a clients Windowsmachine.Hello, I have an abundance of alerts telling me url[snort] BAD-TRAFFIC loopback traffic on127.0.0.1:80According to snort this is due to improperlyconfigured interfaces. =Which part is improperly configured and how can Ifix this? Or have I =been hacked? -Scott Elgram IT/Systems Support VerifPoint/CreDENTALs (949)770-5290 ext. 26__________________________________ Do you Yahoo!? Yahoo! Mail SpamGuard - Read only the mail you want. http://antispam.yahoo.com/tools
------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Bad Loop Back Traffic Scott Elgram (Feb 24)
- <Possible follow-ups>
- Re: Bad Loop Back Traffic bclark (Feb 24)
- Re: Bad Loop Back Traffic Mat Harris (Feb 24)
- Re: Bad Loop Back Traffic Frank Knobbe (Feb 24)
- Re: Bad Loop Back Traffic Scott Elgram (Feb 25)
- RE: Bad Loop Back Traffic Finney Charles E (Feb 24)
- Re: RE: Bad Loop Back Traffic Scott Elgram (Feb 25)
- Re: RE: Bad Loop Back Traffic James Nonya (Feb 24)
- Re: Bad Loop Back Traffic SN ORT (Feb 25)
- Re: Bad Loop Back Traffic Scott Elgram (Feb 27)
- Re: Bad Loop Back Traffic Mark . Schutzmann (Feb 27)