Snort mailing list archives

need help : (snort decoder) Bad Traffic Loopback IP

From: Thomas Werth <thomas.werth () vahle de>
Date: Fri, 25 Nov 2005 11:01:51 +0100

Hello,
i'm running 3 snort (2.4.3) sensors logging to one db.
All systems run suse 9.2 and have very similar setups.
Snort Setup and installation is exact identical.

On one machine i get a
(snort decoder) Bad Traffic Loopback IP
with
127.0.0.1:2638 255.255.255.255:2638 UDP
report.
How can i trace where this broadcast came from (pid)/PC ?
I wonder why only one pc gets this broadcast msg, for testing i pulled
this pc out of network and msg didn't come again.
Now i wonder if it is generated by the pc itself - but why vanished msg
when pulling off network cable- or if msg comes from network - but why
don't fetch other sensors this msg - .

i don't wanna disable complete decoder to get rid of this message. But
in the end i'd like to find out what src of msg is and stop it.


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

need help : (snort decoder) Bad Traffic Loopback IP Thomas Werth (Nov 25)
- RE: need help : (snort decoder) Bad Traffic Loopback IP Paul Melson (Nov 28)