Snort mailing list archives
bad traffic loopback traffic
From: "Everist, Benjamin S. (NASWI)" <EveristB () naswi navy mil>
Date: Thu, 6 Feb 2003 13:49:03 -0800
hello all, I'm getting a lot of bad traffic loopback traffic alerts (sid=528) from 127.0.0.1:1024 to 255.255.255.255:67. tcpdump -e -i lo0 -n records no packets, even when new alerts are being generated. tcpdump -e -i xl0 -n host 127.0.0.1 gets this: 11:59:32.949764 0:60:1d:0:6:a0 ff:ff:ff:ff:ff:ff 0800 586: 127.0.0.1.1024 > 255.255.255.255.67: (request) xid:0x641b767c secs:32768 [|bootp] and a whole lot more like it (like 2500+ alerts on snort today, and this has been going on for the life of this machine, about a week). I'm confused. What's going on here? I'm not running a dhcp client or server, and for that matter, lo0 is silent unless i deliberately use it (I left tcpdump on for a half hour, the only thing it logged was when I pinged localhost). Where is this traffic coming from and is it valid (and if so, why is it so persistant?). your thoughts are appreciated. Benjamin Other/ More Info: Snort is started with -i xl0 I am currently on a switch waiting to move to a hub
Current thread:
- bad traffic loopback traffic Everist, Benjamin S. (NASWI) (Feb 06)
- Re: bad traffic loopback traffic twig les (Feb 06)
- Re: bad traffic loopback traffic Matt Kettler (Feb 06)
- <Possible follow-ups>
- RE: bad traffic loopback traffic Everist, Benjamin S. (NASWI) (Feb 06)