Snort mailing list archives
Re: MISC loopback traffic
From: Matt Kettler <mkettler () evi-inc com>
Date: Fri, 16 Nov 2001 15:30:03 -0500
This means that snort detected a packet on the ethernet wire which is from a loopback address. Loopback addresses are intended to be used to allow a process to connect to a port on the local machine without going out over any kind of network wire. The appearance of such an address on any network wire is invalid as per RFC 1700's "special addresses" section:
-------- (g) {127, <any>} Internal host loopback address. Should never appear outside a host. ----------see http://www.ietf.org/rfc/rfc1700.txt for the rest of that document, but the rest is mostly irrelevant here.
As best I know there are two cases that are likely to cause what you are seeing: 1) Crafted packets with spoofed addresses trying to sneak past a machines IPfilter rules (only works if they are poorly written and lack spoof protection rules).
2) Some bozo thought the 127.*.*.* block was prime real estate for private addresses, ignoring or not knowing the fact that doing so is invalid. The IP addresses 10.*.*.*, 192.168.*.* and one other block of IPs (which I forget the address of offhand) are reserved for private network applications, and should be used instead.
Given the large number of addresses, and the fact that none are 127.0.0.1 (the "normal" loopback, and the best candidate for spoofing), I suspect case number 2 is in effect, but you should take a closer look at the packets to see where they are going to see if they have malicious intent, or are merely a foolish mistake.
At 02:24 PM 11/16/2001, you wrote:
I am seeing entries from Snort as shown below. Any ideas/thoughts as to what causes this? I have looked in the FW logs and can't see anything that corresponds to these snort events. ``````````````````````````````````````````````````````````````````` #1-208658| [2001-11-15 16:32:24] 127.184.201.85 [ext fw ip] MISC loopback traffic
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- MISC loopback traffic Jim Rauser (Oct 09)
- <Possible follow-ups>
- MISC loopback traffic Tom Sevy (Nov 16)
- Re: MISC loopback traffic Matt Kettler (Nov 16)
- RE: MISC loopback traffic Joshua Wright (Nov 16)