Snort mailing list archives
Re: Snort Abend after BAD-TRAFFIC
From: Jason <security () brvenik com>
Date: Sun, 21 Mar 2004 17:46:34 -0500
I would look at a few things- You snort config, if you are using -i any and browsing a webserver on localhost or using some form of tunneling then this is a likely culprit, your PIX logs suggest this is not the case.
- See if the MAC address of the 127.0.0.1 host, is it on your local net.- Investigate the host generating the 127.0.0.1 traffic for bad stuff. Assuming the system is on your local net I suspect you have a few alerts from that source MAC besides these.
Hopefully you have the pkts logged to give you more insight. Mark.Schutzmann () Omron com wrote:
Jason, Thanks for your insight. It makes sense that if I am getting slammed with something that the file structure would grow enormously. As a matter of fact, I was unable to do an rm -rf /var/log/snort/* as it was giving me an error. Coincidentally, I have been seeing a ton of this type of traffic from my Cisco PIX firewall: 106016: Deny IP spoof from (127.0.0.1) to 209.176.173.238 on interface inside 106016: Deny IP spoof from (127.0.0.1) to 209.176.238.238 on interface inside 106016: Deny IP spoof from (127.0.0.1) to 209.176.49.110 on interface inside ...and also a ton of this from Snort: Mar 21 13:56:09 OEI-RHLXSnort snort: [1:528:4] BAD-TRAFFIC loopback traffic [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 127.0.0.1:80 -> 209.176.3.124:1577 Mar 21 13:56:09 OEI-RHLXSnort snort: [1:528:4] BAD-TRAFFIC loopback traffic [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 127.0.0.1:80 -> 209.176.16.250:1260 Mar 21 13:56:09 OEI-RHLXSnort snort: [1:528:4] BAD-TRAFFIC loopback traffic [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 127.0.0.1:80 -> 209.176.16.250:1260 Mar 21 13:56:09 OEI-RHLXSnort snort: [1:528:4] BAD-TRAFFIC loopback traffic [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 127.0.0.1:80 -> 209.176.81.250:1095 Any ideas about whether this is a security breach or new worm? I have never seen this prior to today. Thanks, MarkJason <security () brvenik com> Sent by: To: Mark.Schutzmann () Omron com snort-users-admin () lists sour cc: snort-users () lists sourceforge net ceforge.net Subject: Re: [Snort-users] Snort Abend after BAD-TRAFFIC 03/21/2004 10:56 AMI believe your problem will be resolved by moving to a different logging format. the message Mar 21 10:28:37 OEI-RHLXSnort snort: FATAL ERROR: OpenLogFile() => mkdir(/var/log/snort/209.176.247.84) log directory: Too many link s indicates you have too many files under the current directory. Mark.Schutzmann () Omron com wrote:I saw these messages in my syslog this morning after an alert that Snort had abended. There were more than 100 of the BAD-TRAFFIC messages though. Does anyone have any suggestions about whether there is someconfigurationin my snort.conf or other external factors that could have caused this? Best Regards, Mark Mar 21 10:28:37 OEI-RHLXSnort snort: [1:528:4] BAD-TRAFFIC loopbacktraffic[Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 127.0.0.1:80 -> 209.176.102.178:1043 Mar 21 10:28:37 OEI-RHLXSnort snort: [1:528:4] BAD-TRAFFIC loopbacktraffic[Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 127.0.0.1:80 -> 209.176.6.213:1713 Mar 21 10:28:37 OEI-RHLXSnort snort: [1:528:4] BAD-TRAFFIC loopbacktraffic[Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 127.0.0.1:80 -> 209.176.6.213:1713 Mar 21 10:28:37 OEI-RHLXSnort snort: [1:528:4] BAD-TRAFFIC loopbacktraffic[Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 127.0.0.1:80 -> 209.176.247.84:1704 Mar 21 10:28:37 OEI-RHLXSnort snort: FATAL ERROR: OpenLogFile() => mkdir(/var/log/snort/209.176.247.84) log directory: Too many link s Mar 21 10:28:37 OEI-RHLXSnort kernel: device eth0 left promiscuous mode ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Abend after BAD-TRAFFIC Mark . Schutzmann (Mar 21)
- Re: Snort Abend after BAD-TRAFFIC Jason (Mar 21)
- <Possible follow-ups>
- Re: Snort Abend after BAD-TRAFFIC Mark . Schutzmann (Mar 21)
- Re: Snort Abend after BAD-TRAFFIC Jason Haar (Mar 21)
- Re: Snort Abend after BAD-TRAFFIC Frank Knobbe (Mar 21)
- Re: Snort Abend after BAD-TRAFFIC Jason Haar (Mar 21)
- Re: Snort Abend after BAD-TRAFFIC Jason Haar (Mar 21)
- Re: Snort Abend after BAD-TRAFFIC Jason (Mar 21)
- Re: Snort Abend after BAD-TRAFFIC Steve Thompson (Mar 23)