Snort mailing list archives
Re: Snort Abend after BAD-TRAFFIC
From: Mark.Schutzmann () Omron com
Date: Sun, 21 Mar 2004 13:59:56 -0600
Jason,
Thanks for your insight. It makes sense that if I am getting slammed with
something that the file structure would grow enormously. As a matter of
fact, I was unable to do an rm -rf /var/log/snort/* as it was giving me an
error. Coincidentally, I have been seeing a ton of this type of traffic
from my Cisco PIX firewall:
106016: Deny IP spoof from (127.0.0.1) to 209.176.173.238 on interface
inside
106016: Deny IP spoof from (127.0.0.1) to 209.176.238.238 on interface
inside
106016: Deny IP spoof from (127.0.0.1) to 209.176.49.110 on interface
inside
...and also a ton of this from Snort:
Mar 21 13:56:09 OEI-RHLXSnort snort: [1:528:4] BAD-TRAFFIC loopback traffic
[Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 127.0.0.1:80
-> 209.176.3.124:1577
Mar 21 13:56:09 OEI-RHLXSnort snort: [1:528:4] BAD-TRAFFIC loopback traffic
[Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 127.0.0.1:80
-> 209.176.16.250:1260
Mar 21 13:56:09 OEI-RHLXSnort snort: [1:528:4] BAD-TRAFFIC loopback traffic
[Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 127.0.0.1:80
-> 209.176.16.250:1260
Mar 21 13:56:09 OEI-RHLXSnort snort: [1:528:4] BAD-TRAFFIC loopback traffic
[Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 127.0.0.1:80
-> 209.176.81.250:1095
Any ideas about whether this is a security breach or new worm? I have never
seen this prior to today.
Thanks,
Mark
Jason <security () brvenik com>
Sent by: To: Mark.Schutzmann () Omron com
snort-users-admin () lists sour cc: snort-users () lists sourceforge net
ceforge.net Subject: Re: [Snort-users] Snort Abend after BAD-TRAFFIC
03/21/2004 10:56 AM
I believe your problem will be resolved by moving to a different logging
format.
the message
Mar 21 10:28:37 OEI-RHLXSnort snort: FATAL ERROR: OpenLogFile() =>
mkdir(/var/log/snort/209.176.247.84) log directory: Too many link
s
indicates you have too many files under the current directory.
Mark.Schutzmann () Omron com wrote:
I saw these messages in my syslog this morning after an alert that Snort had abended. There were more than 100 of the BAD-TRAFFIC messages though. Does anyone have any suggestions about whether there is some
configuration
in my snort.conf or other external factors that could have caused this? Best Regards, Mark Mar 21 10:28:37 OEI-RHLXSnort snort: [1:528:4] BAD-TRAFFIC loopback
traffic
[Classification: Potentially Bad Traffic] [Priority: 2]:
{TCP} 127.0.0.1:80 -> 209.176.102.178:1043
Mar 21 10:28:37 OEI-RHLXSnort snort: [1:528:4] BAD-TRAFFIC loopback
traffic
[Classification: Potentially Bad Traffic] [Priority: 2]:
{TCP} 127.0.0.1:80 -> 209.176.6.213:1713
Mar 21 10:28:37 OEI-RHLXSnort snort: [1:528:4] BAD-TRAFFIC loopback
traffic
[Classification: Potentially Bad Traffic] [Priority: 2]:
{TCP} 127.0.0.1:80 -> 209.176.6.213:1713
Mar 21 10:28:37 OEI-RHLXSnort snort: [1:528:4] BAD-TRAFFIC loopback
traffic
[Classification: Potentially Bad Traffic] [Priority: 2]:
{TCP} 127.0.0.1:80 -> 209.176.247.84:1704
Mar 21 10:28:37 OEI-RHLXSnort snort: FATAL ERROR: OpenLogFile() =>
mkdir(/var/log/snort/209.176.247.84) log directory: Too many link
s
Mar 21 10:28:37 OEI-RHLXSnort kernel: device eth0 left promiscuous mode
-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Abend after BAD-TRAFFIC Mark . Schutzmann (Mar 21)
- Re: Snort Abend after BAD-TRAFFIC Jason (Mar 21)
- <Possible follow-ups>
- Re: Snort Abend after BAD-TRAFFIC Mark . Schutzmann (Mar 21)
- Re: Snort Abend after BAD-TRAFFIC Jason Haar (Mar 21)
- Re: Snort Abend after BAD-TRAFFIC Frank Knobbe (Mar 21)
- Re: Snort Abend after BAD-TRAFFIC Jason Haar (Mar 21)
- Re: Snort Abend after BAD-TRAFFIC Jason Haar (Mar 21)
- Re: Snort Abend after BAD-TRAFFIC Jason (Mar 21)
- Re: Snort Abend after BAD-TRAFFIC Steve Thompson (Mar 23)