![snort logo](/images/snort-logo.png)
Snort mailing list archives
Re: Snort Abend after BAD-TRAFFIC
From: Mark.Schutzmann () Omron com
Date: Sun, 21 Mar 2004 13:59:56 -0600
Jason, Thanks for your insight. It makes sense that if I am getting slammed with something that the file structure would grow enormously. As a matter of fact, I was unable to do an rm -rf /var/log/snort/* as it was giving me an error. Coincidentally, I have been seeing a ton of this type of traffic from my Cisco PIX firewall: 106016: Deny IP spoof from (127.0.0.1) to 209.176.173.238 on interface inside 106016: Deny IP spoof from (127.0.0.1) to 209.176.238.238 on interface inside 106016: Deny IP spoof from (127.0.0.1) to 209.176.49.110 on interface inside ...and also a ton of this from Snort: Mar 21 13:56:09 OEI-RHLXSnort snort: [1:528:4] BAD-TRAFFIC loopback traffic [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 127.0.0.1:80 -> 209.176.3.124:1577 Mar 21 13:56:09 OEI-RHLXSnort snort: [1:528:4] BAD-TRAFFIC loopback traffic [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 127.0.0.1:80 -> 209.176.16.250:1260 Mar 21 13:56:09 OEI-RHLXSnort snort: [1:528:4] BAD-TRAFFIC loopback traffic [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 127.0.0.1:80 -> 209.176.16.250:1260 Mar 21 13:56:09 OEI-RHLXSnort snort: [1:528:4] BAD-TRAFFIC loopback traffic [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 127.0.0.1:80 -> 209.176.81.250:1095 Any ideas about whether this is a security breach or new worm? I have never seen this prior to today. Thanks, Mark Jason <security () brvenik com> Sent by: To: Mark.Schutzmann () Omron com snort-users-admin () lists sour cc: snort-users () lists sourceforge net ceforge.net Subject: Re: [Snort-users] Snort Abend after BAD-TRAFFIC 03/21/2004 10:56 AM I believe your problem will be resolved by moving to a different logging format. the message Mar 21 10:28:37 OEI-RHLXSnort snort: FATAL ERROR: OpenLogFile() => mkdir(/var/log/snort/209.176.247.84) log directory: Too many link s indicates you have too many files under the current directory. Mark.Schutzmann () Omron com wrote:
I saw these messages in my syslog this morning after an alert that Snort had abended. There were more than 100 of the BAD-TRAFFIC messages though. Does anyone have any suggestions about whether there is some
configuration
in my snort.conf or other external factors that could have caused this? Best Regards, Mark Mar 21 10:28:37 OEI-RHLXSnort snort: [1:528:4] BAD-TRAFFIC loopback
traffic
[Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 127.0.0.1:80 -> 209.176.102.178:1043 Mar 21 10:28:37 OEI-RHLXSnort snort: [1:528:4] BAD-TRAFFIC loopback
traffic
[Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 127.0.0.1:80 -> 209.176.6.213:1713 Mar 21 10:28:37 OEI-RHLXSnort snort: [1:528:4] BAD-TRAFFIC loopback
traffic
[Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 127.0.0.1:80 -> 209.176.6.213:1713 Mar 21 10:28:37 OEI-RHLXSnort snort: [1:528:4] BAD-TRAFFIC loopback
traffic
[Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 127.0.0.1:80 -> 209.176.247.84:1704 Mar 21 10:28:37 OEI-RHLXSnort snort: FATAL ERROR: OpenLogFile() => mkdir(/var/log/snort/209.176.247.84) log directory: Too many link s Mar 21 10:28:37 OEI-RHLXSnort kernel: device eth0 left promiscuous mode ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Abend after BAD-TRAFFIC Mark . Schutzmann (Mar 21)
- Re: Snort Abend after BAD-TRAFFIC Jason (Mar 21)
- <Possible follow-ups>
- Re: Snort Abend after BAD-TRAFFIC Mark . Schutzmann (Mar 21)
- Re: Snort Abend after BAD-TRAFFIC Jason Haar (Mar 21)
- Re: Snort Abend after BAD-TRAFFIC Frank Knobbe (Mar 21)
- Re: Snort Abend after BAD-TRAFFIC Jason Haar (Mar 21)
- Re: Snort Abend after BAD-TRAFFIC Jason Haar (Mar 21)
- Re: Snort Abend after BAD-TRAFFIC Jason (Mar 21)
- Re: Snort Abend after BAD-TRAFFIC Steve Thompson (Mar 23)