Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: a lot of Loopback traffic being logged.

From: Mark.Schutzmann () Omron com
Date: Thu, 22 Apr 2004 17:08:50 -0500

I reported this same problem earlier. I had a lot of great feedback, if you
want to search the mailing list. Recently, I had this come up again. I used
Snort in non-daemon mode to find the MAC address that was associated with
the 127.0.0.1 address, which lead me to a router (ugh!), I then had to
trace that through my WAN to another network, where we found the local MAC
and traced that to a couple of Japanese engineers who were visiting our
company and had plugged their computers into our network. Unfortunately,
because we did not have a translator and could not readily sift through
their Japanese OS computers, I still cannot say what the source program was
that caused this. I simply had to quarantine their computer away from the
corporate network. If I find a translator and the program, I will forward
this info on. Let me know what you find! I suspect some virus or trojan.
This is a fairly amateur attack to actually be running manually. Good Luck!

Best Regards,
Mark


                                                                                                                        
                          
                      "Chuck Holley"                                                                                    
                          
                      <cholley () fitnessquest com>          To:       <snort-users () lists sourceforge net>           
                                
                      Sent by:                            cc:                                                           
                          
                      snort-users-admin () lists sour        Subject:  [Snort-users] a lot of Loopback traffic being 
logged.                         
                      ceforge.net                                                                                       
                          
                                                                                                                        
                          
                                                                                                                        
                          
                      04/22/2004 08:38 AM                                                                               
                          
                                                                                                                        
                          
                                                                                                                        
                          




"BAD-TRAFFIC loopback traffic"  I am getting a lot of this one alert on
127.0.0.1.  im really not sure what is causing this.  If it is faulty
networking or maybe a spoofer.  Now that I know im getting this, thanks to
SNORT, what the heck do I do about it?  Anyone ever remedy this problem?

Chuck Holley
LAN Administrator
FitnessQuest Inc.
Canton, OH
cholley () fitnessquest com








-------------------------------------------------------
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg297
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: