loopback traffic

[Security Personnel <guardian () cadurx com>]

I'm not even sure how to pose this question. I wish I could fully 
explain the problem.. I'll start with an e-mail from snort

/<from snort>/
05/19-12:58:37.770631 [**] [1:528:4] BAD-TRAFFIC loopback traffic [**] 
[Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 
127.0.0.1:80 -> XXX.XXX.XXX.XXX:1202
/</from snort>/

Now, I've read some stuff about these messages before, and as always 
it's important to note that the iptables-based firewall doesn't let 
these packets into any of the machines on our net, but snort still 
catches them (promiscuity and all). Nonetheless, the AMOUNT of these 
packets is overwhelming. ~700 just yesterday.

I've checked firewall logs, and the kernel, of course, is spitting out 
"martian source" errors.. because packets from 127.0.0.1 should never be 
on the wire, right?
right.

Down to some more strangeness ---> the packets are rarely to the same 
port, they come to EVERY machine on our IP range, and picking apart the 
headers has given me the originating MAC address of our ISP's gateway 
machine!

Any ideas? any fellow sufferers?


-------------------------------------------------------
This SF.Net email is sponsored by: SourceForge.net Broadband
Sign-up now for SourceForge Broadband and get the fastest
6.0/768 connection for only $19.95/mo for the first 3 months!
http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users