Snort mailing list archives
RE: a lot of Loopback traffic being logged.
From: Alejandro Flores <alejandro.flores () triforsec com br>
Date: Thu, 27 May 2004 14:06:05 -0300
Hello Rod, I think it's a good idea to document this. What's the worm's name? Regards, Alejandro
We had this for a short while, finally tracked it down to a wormed box on the other side of the router. The router was letting src traffic from 127.0.0.1 through to our public addresses, this has now been corrected and the traffic has been stopped. best regards Rod ________________________________________________________________________ On Fri, 2004-04-23 at 19:23, Chuck Holley wrote:Did you sniff for 127.0.0.1 packets? Im using tcpdump and I sniffedfor awhile with this command: tcpdump src 127.0.0.1 -s 1518 -i eth0 -w dump Im assuming im doing this right. Im trying to log only packets form 127.0.0.1 and log the whole Ethernet packet 1518 on interface eth0 andwriteto a file called dump. Now, I did this and got two loggings in tcpdump: 13:04:11.172652 IP hal2.http > 192.168.42.50.1361: R 0:0(0) ack799408129win 0 13:04:54.391786 IP hal2.http > 192.168.42.52.1196: R 0:0(0) ack1316880385win 0 hal2 is the server that has tcpdump on it. Is this machine one of theboxesthat is sending out the 127.0.0.1, or did I simply pickup two packetssentout form hal2 to these other machines. I looked at snort and the exact same ip's, with the exact same portswerelogged coming from 127.0.0.1 To say the least im confused even more!!Hi, I see it on my external interface too. I used tcpdump with -e parameter to display MAC address of the sender. tcpdump -e -i eth1 src host 127.0.0.1 I find that MAC address of loopback packets is my ISP's Cisco switch. So all packets come from external network (I think). I am connected over wi-fi AP and when I sniffed, I have seen that these packets coming to most connected people in this AP. I don't know what it can be. Regards, ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- How to start snort for multiple servers' traffic, (continued)
- How to start snort for multiple servers' traffic Tinni (Apr 23)
- Re: How to start snort for multiple servers' traffic Edin Dizdarevic (Apr 23)
- Re: a lot of Loopback traffic being logged. Mark . Schutzmann (Apr 22)
- RE: a lot of Loopback traffic being logged. Chuck Holley (Apr 23)
- RE: a lot of Loopback traffic being logged. Fred Portnoy (Apr 23)
- RE: a lot of Loopback traffic being logged. Chuck Holley (Apr 23)
- RE: a lot of Loopback traffic being logged. Fred Portnoy (Apr 23)
- RE: a lot of Loopback traffic being logged. Milan Kocián (Apr 25)
- RE: a lot of Loopback traffic being logged. Chuck Holley (Apr 23)
- RE: a lot of Loopback traffic being logged. Alejandro Flores (May 27)
- RE: a lot of Loopback traffic being logged. rod (May 28)
- how to clean up database? Cesar (May 27)