Snort mailing list archives
Re: Bad Loop Back Traffic
From: SN ORT <snort_on_acid () yahoo com>
Date: Wed, 25 Feb 2004 14:01:12 -0800 (PST)
So you have this hub, connected to both the firewall and the router. Do you also have another connection, connecting the router to the firewall? Now the firewall and the router have two connections to each other? If you have a switch in between as well, this would cause a spanning tree problem. Or is this hub the only connection between the two? If not, then I would suggest a different way to monitor the connections, such as a switch between the router/fw and if you have that already, the switch should then mirror the router port only. If the hub is the only connection then is your sensor acting as a router? And your IP of you non-sniffing Interface is an internal IP connected internally? Cheese! Marc
Message: 5 Reply-To: "Scott Elgram" <SElgram () verifpoint com> From: "Scott Elgram" <SElgram () verifpoint com> To: <snort-users () lists sourceforge net> Subject: Re: [Snort-users] Bad Loop Back Traffic Date: Tue, 24 Feb 2004 09:52:35 -0800 Organization: VerifPoint/CreDENTALs
Hummm, interesting, I have my SNORT installed on RH9 with 2 interfaces. The interface with the sensor is connected to a hub between my router and firewall. The interface has no IP address and catches only
out->bound and in-bound traffic
from the internet. For a while I was under the impression that this "Bad Loop Back Traffic" was the result of having an interface up with no IP or configuration. Could this be the reason you think? -Scott Elgram
----- Original Message ----- From: <bclark () bwkip com> To: <snort-users () lists sourceforge net> Cc: <SElgram () verifpoint com> Sent: Tuesday, February 24, 2004 9:01 AM Subject: Re: [Snort-users] Bad Loop Back Traffic
I have also seen this type of traffic about 200,000
alerts last night. I
am not sure but I think it is a clients Windows
machine.
Hello, I have an abundance of alerts telling me url[snort] BAD-TRAFFIC loopback traffic on
127.0.0.1:80
According to snort this is due to improperly
configured interfaces. =
Which part is improperly configured and how can I
fix this? Or have I =
been hacked? -Scott Elgram IT/Systems Support VerifPoint/CreDENTALs (949)770-5290 ext. 26
__________________________________ Do you Yahoo!? Yahoo! Mail SpamGuard - Read only the mail you want. http://antispam.yahoo.com/tools ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Bad Loop Back Traffic Scott Elgram (Feb 24)
- <Possible follow-ups>
- Re: Bad Loop Back Traffic bclark (Feb 24)
- Re: Bad Loop Back Traffic Mat Harris (Feb 24)
- Re: Bad Loop Back Traffic Frank Knobbe (Feb 24)
- Re: Bad Loop Back Traffic Scott Elgram (Feb 25)
- RE: Bad Loop Back Traffic Finney Charles E (Feb 24)
- Re: RE: Bad Loop Back Traffic Scott Elgram (Feb 25)
- Re: RE: Bad Loop Back Traffic James Nonya (Feb 24)
- Re: Bad Loop Back Traffic SN ORT (Feb 25)
- Re: Bad Loop Back Traffic Scott Elgram (Feb 27)
- Re: Bad Loop Back Traffic Mark . Schutzmann (Feb 27)