Snort mailing list archives
RE: a lot of Loopback traffic being logged.
From: rod <rod () thenewdawn tv>
Date: Thu, 27 May 2004 16:02:36 +0100
We had this for a short while, finally tracked it down to a wormed box on the other side of the router. The router was letting src traffic from 127.0.0.1 through to our public addresses, this has now been corrected and the traffic has been stopped. best regards Rod ________________________________________________________________________ On Fri, 2004-04-23 at 19:23, Chuck Holley wrote:
Did you sniff for 127.0.0.1 packets? Im using tcpdump and I sniffed
for a
while with this command: tcpdump src 127.0.0.1 -s 1518 -i eth0 -w dump Im assuming im doing this right. Im trying to log only packets form 127.0.0.1 and log the whole Ethernet packet 1518 on interface eth0 and
write
to a file called dump. Now, I did this and got two loggings in tcpdump: 13:04:11.172652 IP hal2.http > 192.168.42.50.1361: R 0:0(0) ack
799408129
win 0 13:04:54.391786 IP hal2.http > 192.168.42.52.1196: R 0:0(0) ack
1316880385
win 0 hal2 is the server that has tcpdump on it. Is this machine one of the
boxes
that is sending out the 127.0.0.1, or did I simply pickup two packets
sent
out form hal2 to these other machines. I looked at snort and the exact same ip's, with the exact same ports
were
logged coming from 127.0.0.1 To say the least im confused even more!!
Hi, I see it on my external interface too. I used tcpdump with -e parameter to display MAC address of the sender. tcpdump -e -i eth1 src host 127.0.0.1 I find that MAC address of loopback packets is my ISP's Cisco switch. So all packets come from external network (I think). I am connected over wi-fi AP and when I sniffed, I have seen that these packets coming to most connected people in this AP. I don't know what it can be. Regards, ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Need configuration help, (continued)
- Need configuration help Tinni (Apr 22)
- How to start snort for multiple servers' traffic Tinni (Apr 23)
- Re: How to start snort for multiple servers' traffic Edin Dizdarevic (Apr 23)
- Need configuration help Tinni (Apr 22)
- Re: a lot of Loopback traffic being logged. Mark . Schutzmann (Apr 22)
- RE: a lot of Loopback traffic being logged. Chuck Holley (Apr 23)
- RE: a lot of Loopback traffic being logged. Fred Portnoy (Apr 23)
- RE: a lot of Loopback traffic being logged. Chuck Holley (Apr 23)
- RE: a lot of Loopback traffic being logged. Fred Portnoy (Apr 23)
- RE: a lot of Loopback traffic being logged. Milan Kocián (Apr 25)
- RE: a lot of Loopback traffic being logged. Chuck Holley (Apr 23)
- RE: a lot of Loopback traffic being logged. Alejandro Flores (May 27)
- RE: a lot of Loopback traffic being logged. rod (May 28)
- how to clean up database? Cesar (May 27)