Snort mailing list archives

RE: a lot of Loopback traffic being logged.

From: "Fred Portnoy" <fportnoy () mail plymouth edu>
Date: Thu, 22 Apr 2004 15:42:51 -0400

We saw this too, and we were lucky enough, by sniffing upstream in the
network, to trace it back to one of our ResNet users. We shut off the
student's port and we told our ResNet folks to go clean up the machine. It
got cleaned up and turned back on. Sadly, I can't tell you more specifically
what the cause was. 

-fp


-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Harry
Bloomberg
Sent: Thursday, April 22, 2004 2:27 PM
To: Chuck Holley
Cc: 'Matt Kettler'; snort-users () lists sourceforge net
Subject: RE: [Snort-users] a lot of Loopback traffic being logged.


On Thu, 22 Apr 2004, Chuck Holley wrote:

OK, I think im on to something.  I do not use the -i option, only -c 
to look at the conf.  in the conf I have for "HOME_NET 
192.168.10.0/24" and a little further down I have "HOME_NET any"

   We are forcing Snort to listen to one real port only with the -i option,
and we're also seeing a *lot* of packets with a source of 127.0.0.1:80.
This was confirmed by one of our network guys who plugged another packet
sniffer into the Snort port.  This seems to be real traffic, and we're
baffled by the source.

Harry Bloomberg



-------------------------------------------------------
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek For a
limited time only, get FREE Ground shipping on all orders of $35 or more.
Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg=12297
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg297
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

a lot of Loopback traffic being logged. Chuck Holley (Apr 22)
- Re: a lot of Loopback traffic being logged. Matt Kettler (Apr 22)
  - RE: a lot of Loopback traffic being logged. Chuck Holley (Apr 22)
    - RE: a lot of Loopback traffic being logged. Matt Kettler (Apr 22)
    - RE: a lot of Loopback traffic being logged. Harry Bloomberg (Apr 22)
    - RE: a lot of Loopback traffic being logged. Fred Portnoy (Apr 22)
  - Need configuration help Tinni (Apr 22)
    - How to start snort for multiple servers' traffic Tinni (Apr 23)
    - Re: How to start snort for multiple servers' traffic Edin Dizdarevic (Apr 23)
- <Possible follow-ups>
- Re: a lot of Loopback traffic being logged. Mark . Schutzmann (Apr 22)
  - RE: a lot of Loopback traffic being logged. Chuck Holley (Apr 23)
    - RE: a lot of Loopback traffic being logged. Fred Portnoy (Apr 23)
    - RE: a lot of Loopback traffic being logged. Chuck Holley (Apr 23)
    - RE: a lot of Loopback traffic being logged. Fred Portnoy (Apr 23)
    - RE: a lot of Loopback traffic being logged. Milan Kocián (Apr 25)
- RE: a lot of Loopback traffic being logged. Mark . Schutzmann (Apr 23)

(Thread continues...)