Snort mailing list archives
loopback traffic
From: Security Personnel <guardian () cadurx com>
Date: Wed, 19 May 2004 14:11:34 -0600
I'm not even sure how to pose this question. I wish I could fully explain the problem.. I'll start with an e-mail from snort
/<from snort>/05/19-12:58:37.770631 [**] [1:528:4] BAD-TRAFFIC loopback traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 127.0.0.1:80 -> XXX.XXX.XXX.XXX:1202
/</from snort>/Now, I've read some stuff about these messages before, and as always it's important to note that the iptables-based firewall doesn't let these packets into any of the machines on our net, but snort still catches them (promiscuity and all). Nonetheless, the AMOUNT of these packets is overwhelming. ~700 just yesterday.
I've checked firewall logs, and the kernel, of course, is spitting out "martian source" errors.. because packets from 127.0.0.1 should never be on the wire, right?
right.Down to some more strangeness ---> the packets are rarely to the same port, they come to EVERY machine on our IP range, and picking apart the headers has given me the originating MAC address of our ISP's gateway machine!
Any ideas? any fellow sufferers? ------------------------------------------------------- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Loopback traffic Rodrigo B. Ramos (Apr 23)
- RE: Loopback traffic Chuck Holley (Apr 23)
- RE: Loopback traffic Matt Kettler (Apr 26)
- <Possible follow-ups>
- loopback traffic Security Personnel (May 19)
- Re: loopback traffic Matt Kettler (May 19)
- Re: loopback traffic James Riden (May 19)
- Re: loopback traffic Security Personnel (May 19)
- Re: loopback traffic Matt Kettler (May 19)
- RE: loopback traffic Bob Sukovich (May 20)
- RE: Loopback traffic Chuck Holley (Apr 23)