Snort mailing list archives
Re: RE: BAD-TARFFIC Loopback traffic
From: JP Vossen <vossenjp () netaxs com>
Date: Sat, 20 Dec 2003 14:56:57 -0500 (EST)
As a follow up to the discussions in the list [0, 1] about Snort seeing 127.0.0.1 traffic, I thought this was interesting. I was just playing with NMap's new service detection feature [2] and did a scan as follows: From host A, run nmap -A -T4 -F 192.168.1.0/24 Snort is on "snorter" at 192.168.1.22 I got this syslog alert, note it is ICMP, not TCP/80 or TCP/25 as previously discussed. Dec 20 13:53:08 snorter snort: [1:528:3] BAD TRAFFIC loopback traffic [Classification: Potentially Bad Traffic] [Priority: 2]: <eth0> {ICMP} 127.0.0.1 -> 192.168.99.0 I isolated the packet, as follows: /tmp# snort -Xqvder snort.log.2003-12-20.pcap src 127.0.0.1 12/20-13:53:08.203033 0:6:29:A2:AB:3F -> FF:FF:FF:FF:FF:FF type:0x800 len:0x3C 127.0.0.1 -> 192.168.1.0 ICMP TTL:39 TOS:0x0 ID:36980 IpLen:20 DgmLen:28 Type:8 Code:0 ID:58555 Seq:35350 ECHO 0x0000: FF FF FF FF FF FF 00 06 29 A2 ED 3E 08 00 45 00 ........)..>..E. 0x0010: 00 1C 90 74 00 00 27 01 60 C3 7F 00 00 01 C0 A8 ...t..'.`....... 0x0020: 63 00 08 00 89 2D E4 BB 8A 16 00 00 00 00 00 00 c....-.......... 0x0030: 00 00 00 00 00 00 00 00 00 00 00 00 ............ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ The only thing not clear is IF this packet actually made it onto the wire, or if Snort only saw it because it was loopback on the Snort host itself. Unfortunately I will not have time to pursue this any more at the moment. Later, JP [0] http://marc.theaimsgroup.com/?l=snort-users&m=106745650608485&w=2 [1] RHEL 3 (Taroon Beta) sendmail put 127.0.0.1 packets out on the wire with a src or dst (I forget which) port 25. When I killed sendmail and some other related service they went away. Presumably that was a bug and is fixed in the released RHEL 3, but I have not tested that. [2] http://www.insecure.org/nmap/versionscan.html ------------------------------|:::======|-------------------------------- JP Vossen, CISSP |:::======| jp{at}jpsdomain{dot}org My Account, My Opinions |=========| http://www.jpsdomain.org/ ------------------------------|=========|-------------------------------- You used to have to reboot the Windows 9.x series every couple of days because it would crash. Now you have to reboot Windows 200x or XP every couple of days because of a patch. How is that better or more stable? ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: RE: BAD-TARFFIC Loopback traffic Frank Knobbe (Oct 29)
- <Possible follow-ups>
- Re: RE: BAD-TARFFIC Loopback traffic JP Vossen (Dec 20)