Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Bad Loop Back Traffic

From: SN ORT <snort_on_acid () yahoo com>
Date: Wed, 25 Feb 2004 14:01:12 -0800 (PST)
So you have this hub, connected to both the firewall
and the router. Do you also have another connection,
connecting the router to the firewall? Now the
firewall and the router have two connections to each
other? If you have a switch in between as well, this
would cause a spanning tree problem. Or is this hub
the only connection between the two? If not, then I
would suggest a different way to monitor the
connections, such as a switch between the router/fw
and if you have that already, the switch should then
mirror the router port only.

If the hub is the only connection then is your sensor
acting as a router? And your IP of you non-sniffing
Interface is an internal IP connected internally?

Cheese!

Marc


Message: 5
Reply-To: "Scott Elgram" <SElgram () verifpoint com>
From: "Scott Elgram" <SElgram () verifpoint com>
To: <snort-users () lists sourceforge net>
Subject: Re: [Snort-users] Bad Loop Back Traffic
Date: Tue, 24 Feb 2004 09:52:35 -0800
Organization: VerifPoint/CreDENTALs



Hummm, interesting,
   I have my SNORT installed on RH9 with 2
interfaces.  The interface with
the sensor is connected to a hub between my router
and firewall.  The
interface has no IP address and catches only

out->bound and in-bound traffic

from the internet.  For a while I was under the
impression that this "Bad
Loop Back Traffic" was the result of having an
interface up with no IP or
configuration.  Could this be the reason you think?
-Scott Elgram



----- Original Message -----
From: <bclark () bwkip com>
To: <snort-users () lists sourceforge net>
Cc: <SElgram () verifpoint com>
Sent: Tuesday, February 24, 2004 9:01 AM
Subject: Re: [Snort-users] Bad Loop Back Traffic




I have also seen this type of traffic about 200,000

alerts last night.  I

am not sure but I think it is a clients Windows

machine.




Hello,
    I have an abundance of alerts telling me
url[snort] BAD-TRAFFIC loopback traffic on

127.0.0.1:80

According to snort this is due to improperly

configured interfaces.  =

Which part is improperly configured and how can I

fix this? Or have I =

been hacked?

-Scott Elgram
IT/Systems Support
VerifPoint/CreDENTALs
(949)770-5290 ext. 26






__________________________________
Do you Yahoo!?
Yahoo! Mail SpamGuard - Read only the mail you want.
http://antispam.yahoo.com/tools


-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: