Snort mailing list archives
Misc loopback traffic
From: "Michael J. Barillier" <blackwolf () pcisys net>
Date: Fri, 31 Aug 2001 10:26:29 -0600 (MDT)
Time for me to display my glaring ignorance of All Things Network-related (me with Snort is something like the proverbial chimpanzee with a machine gun): Yesterday I started seeing stuff like the following in my Snort alert log: [**] [1:528:1] MISC loopback traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] 08/31-10:08:29.118876 127.0.0.1:2301 -> 255.255.255.255:2301 UDP TTL:128 TOS:0x0 ID:58978 IpLen:20 DgmLen:40 Len: 20 Running tcpdump (make that *two* machine guns) showed: 10:06:29.132241 localhost.2301 > 255.255.255.255.2301: udp 12 10:06:53.787832 REDWING1.wcomnet.com.2301 > 255.255.255.255.2301: udp 12 10:06:54.597386 cospm05.wcomnet.com.1035 > 166.34.147.255.2301: udp 12 10:07:03.270716 csu6220520.wcomnet.com.1033 > 166.34.147.255.2301: udp 12 10:07:29.125580 localhost.2301 > 255.255.255.255.2301: udp 12 10:07:53.859622 REDWING1.wcomnet.com.2301 > 255.255.255.255.2301: udp 12 10:07:54.837574 cospm05.wcomnet.com.1035 > 166.34.147.255.2301: udp 12 10:08:03.265019 csu6220520.wcomnet.com.1033 > 166.34.147.255.2301: udp 12 10:08:29.118876 localhost.2301 > 255.255.255.255.2301: udp 12 So running through the gunk above, it looks like my box is firing off a UDP packet to 255.255.255.255:2301 every minute, but this REDWING1 character appears to be doing the same, about 25 seconds after me. I checked ps and there's nothing new running, and rebooting didn't stop the flow of these packets. (Also, the packets are originating at 29 seconds after the minute, and that didn't change after reboot.) Anyone want to take a guess at what's causing this? Oh, some potentially useful information: Linux (Slack 8.0), 2.2.19 kernel, Snort 1.8.1, inetd.conf pared down to the bare minimum -- about all that's running is sshd, lpd, sendmail, ircd and VMware's bridge (according to ps). -- Michael J. Barillier <mailto:blackwolf () pcisys net> <http://www.pcisys.net/~blackwolf/>
(prin1 "OO *sucks*.")
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- MISC loopback traffic Francois Baligant (Jul 20)
- Re: MISC loopback traffic Brian Caswell (Jul 20)
- Re: MISC loopback traffic Phil Wood (Jul 20)
- Re: MISC loopback traffic Francois Baligant (Jul 23)
- Re: MISC loopback traffic Brian Caswell (Jul 23)
- Re: MISC loopback traffic Phil Wood (Jul 20)
- Re: MISC loopback traffic Brian Caswell (Jul 20)
- <Possible follow-ups>
- Misc loopback traffic Michael J. Barillier (Aug 31)
- Re: Misc loopback traffic J. C. Woods (Aug 31)