Snort mailing list archives
Re: Misc loopback traffic
From: "J. C. Woods" <drjung () sprynet com>
Date: Fri, 31 Aug 2001 17:39:35 +0000
"Michael J. Barillier" wrote:
Time for me to display my glaring ignorance of All Things Network-related (me with Snort is something like the proverbial chimpanzee with a machine gun): Yesterday I started seeing stuff like the following in my Snort alert log: [**] [1:528:1] MISC loopback traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] 08/31-10:08:29.118876 127.0.0.1:2301 -> 255.255.255.255:2301 UDP TTL:128 TOS:0x0 ID:58978 IpLen:20 DgmLen:40 Len: 20 Running tcpdump (make that *two* machine guns) showed: 10:06:29.132241 localhost.2301 > 255.255.255.255.2301: udp 12 10:06:53.787832 REDWING1.wcomnet.com.2301 > 255.255.255.255.2301: udp 12 10:06:54.597386 cospm05.wcomnet.com.1035 > 166.34.147.255.2301: udp 12 10:07:03.270716 csu6220520.wcomnet.com.1033 > 166.34.147.255.2301: udp 12 10:07:29.125580 localhost.2301 > 255.255.255.255.2301: udp 12 10:07:53.859622 REDWING1.wcomnet.com.2301 > 255.255.255.255.2301: udp 12 10:07:54.837574 cospm05.wcomnet.com.1035 > 166.34.147.255.2301: udp 12 10:08:03.265019 csu6220520.wcomnet.com.1033 > 166.34.147.255.2301: udp 12 10:08:29.118876 localhost.2301 > 255.255.255.255.2301: udp 12 So running through the gunk above, it looks like my box is firing off a UDP packet to 255.255.255.255:2301 every minute, but this REDWING1 character appears to be doing the same, about 25 seconds after me. I checked ps and there's nothing new running, and rebooting didn't stop the flow of these packets. (Also, the packets are originating at 29 seconds after the minute, and that didn't change after reboot.) Anyone want to take a guess at what's causing this? Oh, some potentially useful information: Linux (Slack 8.0), 2.2.19 kernel, Snort 1.8.1, inetd.conf pared down to the bare minimum -- about all that's running is sshd, lpd, sendmail, ircd and VMware's bridge (according to ps). -- Michael J. Barillier <mailto:blackwolf () pcisys net> <http://www.pcisys.net/~blackwolf/>(prin1 "OO *sucks*.")
Begin with a "nslookup -q=txt REDWING1.wcomnet.com". This will tell you a bit about the machine you are talking to. After you see what type of machine this is, you might want to poke around for any other traffic coming or going on port 53. Let us know what your investigation yield... drjung -- J. Craig Woods UNIX SA -Art is the illusion of spontaneity- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- MISC loopback traffic Francois Baligant (Jul 20)
- Re: MISC loopback traffic Brian Caswell (Jul 20)
- Re: MISC loopback traffic Phil Wood (Jul 20)
- Re: MISC loopback traffic Francois Baligant (Jul 23)
- Re: MISC loopback traffic Brian Caswell (Jul 23)
- Re: MISC loopback traffic Phil Wood (Jul 20)
- Re: MISC loopback traffic Brian Caswell (Jul 20)
- <Possible follow-ups>
- Misc loopback traffic Michael J. Barillier (Aug 31)
- Re: Misc loopback traffic J. C. Woods (Aug 31)