Snort mailing list archives
RE: a lot of Loopback traffic being logged.
From: "Chuck Holley" <cholley () fitnessquest com>
Date: Fri, 23 Apr 2004 13:23:39 -0400
Did you sniff for 127.0.0.1 packets? Im using tcpdump and I sniffed for a while with this command: tcpdump src 127.0.0.1 -s 1518 -i eth0 -w dump Im assuming im doing this right. Im trying to log only packets form 127.0.0.1 and log the whole Ethernet packet 1518 on interface eth0 and write to a file called dump. Now, I did this and got two loggings in tcpdump: 13:04:11.172652 IP hal2.http > 192.168.42.50.1361: R 0:0(0) ack 799408129 win 0 13:04:54.391786 IP hal2.http > 192.168.42.52.1196: R 0:0(0) ack 1316880385 win 0 hal2 is the server that has tcpdump on it. Is this machine one of the boxes that is sending out the 127.0.0.1, or did I simply pickup two packets sent out form hal2 to these other machines. I looked at snort and the exact same ip's, with the exact same ports were logged coming from 127.0.0.1 To say the least im confused even more!! -----Original Message----- From: Fred Portnoy [mailto:fportnoy () mail plymouth edu] Sent: Friday, April 23, 2004 11:07 AM To: 'Chuck Holley'; Mark.Schutzmann () omron com Cc: snort-users () lists sourceforge net; snort-users-admin () lists sourceforge net Subject: RE: [Snort-users] a lot of Loopback traffic being logged. You need to sniff on one interface at a time at your network distribution point, and as you find the offending packets, go upstream to the next aggregation point and so forth, until you get by the last router and you are on the offender's home LAN; only then will you have captured their actual mac address. Good Luck! -fp -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Chuck Holley Sent: Friday, April 23, 2004 10:25 AM To: Mark.Schutzmann () Omron com Cc: snort-users () lists sourceforge net; snort-users-admin () lists sourceforge net Subject: RE: [Snort-users] a lot of Loopback traffic being logged. OK, I looked through the archives and found that it is probably the balaster worm, and that to find the src address you need to follow back to the MAC address. My problem is that I have firestarter firewall on my mailserver and it is also logging the loopback address issue as a "Martian source attack," and I have two different IP addresses mapped to the same MAC address?????? What is up with that? How do I trace that? Also I cant seem to find where the MAC address is in ACID. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Mark.Schutzmann () Omron com Sent: Thursday, April 22, 2004 6:09 PM To: Chuck Holley Cc: snort-users () lists sourceforge net; snort-users-admin () lists sourceforge net Subject: Re: [Snort-users] a lot of Loopback traffic being logged. I reported this same problem earlier. I had a lot of great feedback, if you want to search the mailing list. Recently, I had this come up again. I used Snort in non-daemon mode to find the MAC address that was associated with the 127.0.0.1 address, which lead me to a router (ugh!), I then had to trace that through my WAN to another network, where we found the local MAC and traced that to a couple of Japanese engineers who were visiting our company and had plugged their computers into our network. Unfortunately, because we did not have a translator and could not readily sift through their Japanese OS computers, I still cannot say what the source program was that caused this. I simply had to quarantine their computer away from the corporate network. If I find a translator and the program, I will forward this info on. Let me know what you find! I suspect some virus or trojan. This is a fairly amateur attack to actually be running manually. Good Luck! Best Regards, Mark "Chuck Holley" <cholley () fitnessquest com> To: <snort-users () lists sourceforge net> Sent by: cc: snort-users-admin () lists sour Subject: [Snort-users] a lot of Loopback traffic being logged. ceforge.net 04/22/2004 08:38 AM "BAD-TRAFFIC loopback traffic" I am getting a lot of this one alert on 127.0.0.1. im really not sure what is causing this. If it is faulty networking or maybe a spoofer. Now that I know im getting this, thanks to SNORT, what the heck do I do about it? Anyone ever remedy this problem? Chuck Holley LAN Administrator FitnessQuest Inc. Canton, OH cholley () fitnessquest com ------------------------------------------------------- This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek For a limited time only, get FREE Ground shipping on all orders of $35 or more. Hurry up and shop folks, this offer expires April 30th! http://www.thinkgeek.com/freeshipping/?cpg297 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users ------------------------------------------------------- This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek For a limited time only, get FREE Ground shipping on all orders of $35 or more. Hurry up and shop folks, this offer expires April 30th! http://www.thinkgeek.com/freeshipping/?cpg297 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list ------------------------------------------------------- This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek For a limited time only, get FREE Ground shipping on all orders of $35 or more. Hurry up and shop folks, this offer expires April 30th! http://www.thinkgeek.com/freeshipping/?cpg297 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: a lot of Loopback traffic being logged., (continued)
- RE: a lot of Loopback traffic being logged. Chuck Holley (Apr 22)
- RE: a lot of Loopback traffic being logged. Matt Kettler (Apr 22)
- RE: a lot of Loopback traffic being logged. Harry Bloomberg (Apr 22)
- RE: a lot of Loopback traffic being logged. Fred Portnoy (Apr 22)
- RE: a lot of Loopback traffic being logged. Chuck Holley (Apr 22)
- Need configuration help Tinni (Apr 22)
- How to start snort for multiple servers' traffic Tinni (Apr 23)
- Re: How to start snort for multiple servers' traffic Edin Dizdarevic (Apr 23)
- RE: a lot of Loopback traffic being logged. Chuck Holley (Apr 23)
- RE: a lot of Loopback traffic being logged. Fred Portnoy (Apr 23)
- RE: a lot of Loopback traffic being logged. Chuck Holley (Apr 23)
- RE: a lot of Loopback traffic being logged. Fred Portnoy (Apr 23)
- RE: a lot of Loopback traffic being logged. Milan Kocián (Apr 25)
- RE: a lot of Loopback traffic being logged. Alejandro Flores (May 27)
- RE: a lot of Loopback traffic being logged. rod (May 28)
- how to clean up database? Cesar (May 27)