Snort mailing list archives
Slightly OT: Anyone else seeing TCP traffic from 127.0.0.1:80?
From: Jyri Hovila <jyri.hovila () iki fi>
Date: Mon, 1 Sep 2003 17:18:54 +0300
Hi everyone! It (once again) seems to be impossible to get anything through to Security Focuses incidents list, so I dare to take the chance and post here. Since I wrote the following message, third Snort sensor has also started reporting similar traffic. I have now recorded total of 162 of these packets. ------------------------- original message ------------------------- Two of my Snort sensors, connected to separate ISPs, have started reporting TCP traffic from 127.0.0.1, port 80. First such packet was found August the 30th at 11.57 EET/GMT+2. So far I've recorded 104 of them. They all have A and R flags up, TTL is either 121 or 122 and there's no payload. Destination ports appear to be randomly selected between 1024 and 2000. Packets have been destined to all the addresses of the /27 subnets my Snort sensors are wathing. Here's a sample from ACID: ------------------------------------------------------------------------------ #(19 - 1042) [2003-08-30 11:57:53] url[snort/528] BAD-TRAFFIC loopback traffic IPv4: 127.0.0.1 -> 195.197.xxx.xxx hlen=5 TOS=0 dlen=40 ID=3626 flags=0 offset=0 TTL=122 chksum=65362 TCP: port=80 -> dport: 1850 flags=***A*R** seq=0 ack=1855651841 off=5 res=0 win=0 urp=0 chksum=1623 Payload: none ------------------------------------------------------------------------------ My Snort sensors have been running for couple of years but they've never recorded anything similar before. Is anyone else seeing this kind of packets? Any ideas what could be causing them? - Jyri ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Slightly OT: Anyone else seeing TCP traffic from 127.0.0.1:80? Jyri Hovila (Sep 01)
- <Possible follow-ups>
- Re: Slightly OT: Anyone else seeing TCP traffic from 127.0.0.1:80? Bier_und_Schnaps (Sep 03)