Full Disclosure mailing list archives
Loopback packets
From: "Phathat" <phathat () hushmail com>
Date: Mon, 18 Aug 2003 11:26:11 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Anyone seen this? Snort began reporting this capture from a single Windows box about twenty four hours after we set windowsupdate.com to loopback. That's the only correlation I've found. Now I have three machines sending these little angry packets from different subnets (1918). Strangest of all, these packets traversed two + routers before it hit the Snort box?... Anyone?... - --- Last alerts --- [Classification: Potentially Bad Traffic] [Priority: 2] 08/18-08:15:31.696482 0:7:D:50:E7:FC -> FF:FF:FF:FF:FF:FF type:0x800 len:0x3C 127.0.0.1:80 -> 255.255.255.255:1766 TCP TTL:126 TOS:0x0 ID:31804 IpLen:20 DgmLen:40 ***A*R** Seq: 0x0 Ack: 0x57810001 Win: 0x0 TcpLen: 20 [Xref => url rr.sans.org/firewall/egress.php] [**] [1:528:4] BAD-TRAFFIC loopback traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] 08/18-08:15:44.439384 0:7:D:50:E7:FC -> 2:BF:AC:1E:64:BA type:0x800 len:0x3C 127.0.0.1:80 -> 172.30.100.186:1236 TCP TTL:126 TOS:0x0 ID:59540 IpLen:20 DgmLen:40 ***A*R** Seq: 0x0 Ack: 0xE860001 Win: 0x0 TcpLen: 20 [Xref => url rr.sans.org/firewall/egress.php] [**] [1:528:4] BAD-TRAFFIC loopback traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] 08/18-08:15:50.084525 0:7:D:50:E7:FC -> 2:BF:AC:1E:64:BA type:0x800 len:0x3C 127.0.0.1:80 -> 172.30.100.186:1236 TCP TTL:126 TOS:0x0 ID:46933 IpLen:20 DgmLen:40 ***A*R** Seq: 0x0 Ack: 0xE860001 Win: 0x0 TcpLen: 20 [Xref => url rr.sans.org/firewall/egress.php] - -- END OF LOG --- -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.3 wkYEARECAAYFAj9BGkMACgkQnBN72pVYTdhXHACbB1B/N7G11+UTJK0EeCtmspU05ZoA nRGXmL9840M45/+LWzfweI6sZ4Xa =w6Ls -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Loopback packets Phathat (Aug 18)
- R: Loopback packets edp (Aug 19)