Snort mailing list archives
RE: a lot of Loopback traffic being logged.
From: "Fred Portnoy" <fportnoy () mail plymouth edu>
Date: Thu, 22 Apr 2004 15:42:51 -0400
We saw this too, and we were lucky enough, by sniffing upstream in the network, to trace it back to one of our ResNet users. We shut off the student's port and we told our ResNet folks to go clean up the machine. It got cleaned up and turned back on. Sadly, I can't tell you more specifically what the cause was. -fp -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Harry Bloomberg Sent: Thursday, April 22, 2004 2:27 PM To: Chuck Holley Cc: 'Matt Kettler'; snort-users () lists sourceforge net Subject: RE: [Snort-users] a lot of Loopback traffic being logged. On Thu, 22 Apr 2004, Chuck Holley wrote:
OK, I think im on to something. I do not use the -i option, only -c to look at the conf. in the conf I have for "HOME_NET 192.168.10.0/24" and a little further down I have "HOME_NET any"
We are forcing Snort to listen to one real port only with the -i option, and we're also seeing a *lot* of packets with a source of 127.0.0.1:80. This was confirmed by one of our network guys who plugged another packet sniffer into the Snort port. This seems to be real traffic, and we're baffled by the source. Harry Bloomberg ------------------------------------------------------- This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek For a limited time only, get FREE Ground shipping on all orders of $35 or more. Hurry up and shop folks, this offer expires April 30th! http://www.thinkgeek.com/freeshipping/?cpg=12297 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek For a limited time only, get FREE Ground shipping on all orders of $35 or more. Hurry up and shop folks, this offer expires April 30th! http://www.thinkgeek.com/freeshipping/?cpg297 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- a lot of Loopback traffic being logged. Chuck Holley (Apr 22)
- Re: a lot of Loopback traffic being logged. Matt Kettler (Apr 22)
- RE: a lot of Loopback traffic being logged. Chuck Holley (Apr 22)
- RE: a lot of Loopback traffic being logged. Matt Kettler (Apr 22)
- RE: a lot of Loopback traffic being logged. Harry Bloomberg (Apr 22)
- RE: a lot of Loopback traffic being logged. Fred Portnoy (Apr 22)
- RE: a lot of Loopback traffic being logged. Chuck Holley (Apr 22)
- Need configuration help Tinni (Apr 22)
- How to start snort for multiple servers' traffic Tinni (Apr 23)
- Re: How to start snort for multiple servers' traffic Edin Dizdarevic (Apr 23)
- Re: a lot of Loopback traffic being logged. Matt Kettler (Apr 22)
- <Possible follow-ups>
- Re: a lot of Loopback traffic being logged. Mark . Schutzmann (Apr 22)
- RE: a lot of Loopback traffic being logged. Chuck Holley (Apr 23)
- RE: a lot of Loopback traffic being logged. Fred Portnoy (Apr 23)
- RE: a lot of Loopback traffic being logged. Chuck Holley (Apr 23)
- RE: a lot of Loopback traffic being logged. Fred Portnoy (Apr 23)
- RE: a lot of Loopback traffic being logged. Milan Kocián (Apr 25)
- RE: a lot of Loopback traffic being logged. Chuck Holley (Apr 23)