Snort mailing list archives
Re: Strange Loopback Traffic
From: Frank Knobbe <frank () knobbe us>
Date: Tue, 07 Oct 2003 23:35:13 -0500
On Tue, 2003-10-07 at 21:57, Chad Gross - Loretel wrote:
I have a single snort host with dual nics, one monitoring internal traffic, one monitoring external traffic (setup in stealth mode). I consistently see this traffic: BAD-TRAFFIC loopback traffic 127.0.0.1:80 W.X.Y.Z:1969 BAD-TRAFFIC loopback traffic 127.0.0.1:80 W.X.Y.Z:1369 BAD-TRAFFIC loopback traffic 127.0.0.1:80 W.X.Y.Z:1177 . . . W.X.Y.Z is the external address of the firewall, which has anti-spoofing enabled. Sometimes the dest IP is from another IP on the subnet, but more often it is the ext firewall IP. Any ideas?
No idea, but we've seen this too since last last week. It appears to be spoofed packet coming in from the Internet. Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Strange Loopback Traffic Chad Gross - Loretel (Oct 07)
- Re: Strange Loopback Traffic Frank Knobbe (Oct 07)
- Re[2]: Strange Loopback Traffic Jyri Hovila (Oct 08)
- Re: Re[2]: Strange Loopback Traffic Frank Knobbe (Oct 10)
- SnortCenter Sensor failed to start samwun (Oct 18)
- Re[2]: Strange Loopback Traffic Jyri Hovila (Oct 08)
- <Possible follow-ups>
- Strange Loopback traffic Scott Weller (Oct 10)
- Re: Strange Loopback Traffic Frank Knobbe (Oct 07)