Snort mailing list archives

Previous By Date Next
Previous By Thread Next

loopback traffic on the network

From: rms <rms () telekom yu>
Date: 27 Feb 2002 14:04:07 +0100
I see a lot of traffic like this going through my router. All sorts of
loopback addresses as source. The destination is a single DNS server.

Anybody knows what this could be?
Sample:
[**] [1:528:2] BAD TRAFFIC loopback traffic [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
02/24-16:17:04.499538 127.184.74.150:12147 -> xxx.xxx.56.98:3385
UDP TTL:239 TOS:0x0 ID:13808 IpLen:20 DgmLen:30 DF
Len: 10

[**] [1:528:2] BAD TRAFFIC loopback traffic [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
02/24-16:17:04.579538 127.9.163.142:32067 -> xxx.xxx.56.98:22719
UDP TTL:239 TOS:0x0 ID:17326 IpLen:20 DgmLen:30 DF
Len: 10
...
...
...
and so on...Very large number of alerts of the kind, only changing the
destination port and source address.

Any hints, pointers, URLs resources, anything?

Another question: is it possible to see a regular packet on the network
having 127.x.x.x as:
a) source
b) destination address

If answer is yes, than under what condition this might be (an exapmle
would be appreciated)

TIA
R.Soskic



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: