Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort Abend after BAD-TRAFFIC

From: Jason <security () brvenik com>
Date: Sun, 21 Mar 2004 17:46:34 -0500
I would look at a few things
- You snort config, if you are using -i any and browsing a webserver on localhost or using some form of tunneling then this is a likely culprit, your PIX logs suggest this is not the case. 

- See if the MAC address of the 127.0.0.1 host, is it on your local net.
- Investigate the host generating the 127.0.0.1 traffic for bad stuff. Assuming the system is on your local net I suspect you have a few alerts from that source MAC besides these. 

Hopefully you have the pkts logged to give you more insight.


Mark.Schutzmann () Omron com wrote:


Jason,

Thanks for your insight. It makes sense that if I am getting slammed with
something that the file structure would grow enormously. As a matter of
fact, I was unable to do an rm -rf /var/log/snort/* as it was giving me an
error. Coincidentally, I have been seeing a ton of this type of traffic
from my Cisco PIX firewall:

106016: Deny IP spoof from (127.0.0.1) to 209.176.173.238 on interface
inside
106016: Deny IP spoof from (127.0.0.1) to 209.176.238.238 on interface
inside
106016: Deny IP spoof from (127.0.0.1) to 209.176.49.110 on interface
inside

...and also a ton of this from Snort:

Mar 21 13:56:09 OEI-RHLXSnort snort: [1:528:4] BAD-TRAFFIC loopback traffic
[Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 127.0.0.1:80
-> 209.176.3.124:1577
Mar 21 13:56:09 OEI-RHLXSnort snort: [1:528:4] BAD-TRAFFIC loopback traffic
[Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 127.0.0.1:80
-> 209.176.16.250:1260
Mar 21 13:56:09 OEI-RHLXSnort snort: [1:528:4] BAD-TRAFFIC loopback traffic
[Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 127.0.0.1:80
-> 209.176.16.250:1260
Mar 21 13:56:09 OEI-RHLXSnort snort: [1:528:4] BAD-TRAFFIC loopback traffic
[Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 127.0.0.1:80
-> 209.176.81.250:1095


Any ideas about whether this is a security breach or new worm? I have never
seen this prior to today.

Thanks,
Mark
Jason <security () brvenik com> Sent by: To: Mark.Schutzmann () Omron com snort-users-admin () lists sour cc: snort-users () lists sourceforge net ceforge.net Subject: Re: [Snort-users] Snort Abend after BAD-TRAFFIC 03/21/2004 10:56 AM 



I believe your problem will be resolved by moving to a different logging
format.

the message

Mar 21 10:28:37 OEI-RHLXSnort snort: FATAL ERROR: OpenLogFile() =>
mkdir(/var/log/snort/209.176.247.84) log directory: Too many link
s

indicates you have too many files under the current directory.


Mark.Schutzmann () Omron com wrote:



I saw these messages in my syslog this morning after an alert that Snort
had abended. There were more than 100 of the BAD-TRAFFIC messages though.
Does anyone have any suggestions about whether there is some


configuration


in my snort.conf or other external factors that could have caused this?

Best Regards,
Mark


Mar 21 10:28:37 OEI-RHLXSnort snort: [1:528:4] BAD-TRAFFIC loopback


traffic


[Classification: Potentially Bad Traffic] [Priority: 2]:
{TCP} 127.0.0.1:80 -> 209.176.102.178:1043
Mar 21 10:28:37 OEI-RHLXSnort snort: [1:528:4] BAD-TRAFFIC loopback


traffic


[Classification: Potentially Bad Traffic] [Priority: 2]:
{TCP} 127.0.0.1:80 -> 209.176.6.213:1713
Mar 21 10:28:37 OEI-RHLXSnort snort: [1:528:4] BAD-TRAFFIC loopback


traffic


[Classification: Potentially Bad Traffic] [Priority: 2]:
{TCP} 127.0.0.1:80 -> 209.176.6.213:1713
Mar 21 10:28:37 OEI-RHLXSnort snort: [1:528:4] BAD-TRAFFIC loopback


traffic


[Classification: Potentially Bad Traffic] [Priority: 2]:
{TCP} 127.0.0.1:80 -> 209.176.247.84:1704
Mar 21 10:28:37 OEI-RHLXSnort snort: FATAL ERROR: OpenLogFile() =>
mkdir(/var/log/snort/209.176.247.84) log directory: Too many link
s
Mar 21 10:28:37 OEI-RHLXSnort kernel: device eth0 left promiscuous mode




-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users






-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users










-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: